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Preface 



The PKC’99 conference, held in the ancient capital of Kamakura, Japan, March 
1-3, 1999, represents the second conference in the international workshop series 
dedicated to the practice and theory in public key cryptography. 

The program committee of the conference received 61 submissions from 12 coun- 
tries and regions (Australia, Canada, Finland, France, Japan, Saudi Arabia, Sin- 
gapore, Spain, Taiwan, UK, USA, and Yugoslavia), of which 25 were selected for 
presentation. All submissions were reviewed by experts in the relevant areas. 

The program committee consisted of Chin-Chen Chang of the National Chung 
Cheng University, Taiwan, Yvo Desmedt of the University of Wisconsin-Milwaukee, 
USA, Hideki Imai (Co-Chair) of the University of Tokyo, Japan, Markus Jakob- 
sson of Bell Labs, USA, Kwangjo Kim of Information and Communications 
University, Korea, Arjen Lenstra of Citibank, USA, Tsutomu Matsumoto of 
Yokohama National University, Japan, Fiji Okamoto of JAIST, Japan, Tatsuaki 
Okamoto of NTT, Japan, Nigel Smart of HP Labs Bristol, UK, and Yuliang 
Zheng (Co-Chair) of Monash University, Australia. Members of the committee 
spent numerous hours in reviewing the submissions and providing advice and 
comments on the selection of papers. We would like to take this opportunity to 
thank all the members for their invaluable help in producing such a high quality 
technical program. 

The program committee also asked expert advice of many of their colleagues, in- 
cluding: Masayuki Abe, Kazumaro Aoki, Daniel Bleichenbacher, Atsushi Fujioka, 
Eiichiro Fujisaki, Chandana Carnage, Brian King, Kunio Kobayashi, Tetsutaro 
Kobayashi, Phil MacKenzie, Hidemi Moribatake, Kazuo Ohta, Amin Shokrol- 
lahi, Shigenori Uchiyama, and Yongge Wang. We thank them all for their help. 

The conference would not have been successful without the skillful assistance 
of the members of the organizing committee. Our special thanks go to Takashi 
Mano of IPA, Japan, Kanta Matsuura and Hidenori Shida, both of University 
of Tokyo, Japan. 

Last, but not least, we would like to thank all the people who submitted their 
papers to the conference (including those whose submissions were not successful), 
as well as the workshop participants from around the world, for their support 
which made this conference possible. 
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A New Type of “Magic Ink” Signatures — 
Towards Transcript-Irrelevant Anonymity 
Revocation 



Feng Bao and Robert H. Deng 



Information Security Group 
Kent Ridge Digital Labs 
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{baof eng , deng}@krdl . org . sg 



Abstract. The magic ink signature recently proposed in t > | is a blind 
signature which allows “unblinding” of a signature by authorities to es- 
tablish what is known as audit trail and anonymity revocation in case 
of criminal activities. In H as well as in all the previous fair blind sig- 
nature schemes (e. g., B and H), trustees need to search a database 
maintained by signers to obtain a transcript of the corresponding signing 
protocol instance in order to trace the signature receiver. In other words, 
to establish anonymity revocation, the trustees need to know some infor- 
mation which was produced in the signing stage and kept by the signers. 
This is clearly not convenient for the anonymity revocation in certain 
applications. In this paper, we propose a new type of magic ink signa- 
ture scheme. The novel feature of the new scheme is that anonymity 
revocation is made transcript irrelevant. That is, the trustee can revoke 
a receiver’s anonymity based solely on the information embedded in a 
signature, not on any additional information; therefore, it is possible 
that the trustee revoke the anonymity without the help from the signer, 
therefore, without the signer knowing who is being traced. 

Key Words: blinding signatures, anonymity revocation, traceability, e- 
commerce. 



1 Introduction 

The concept of blind signature was first proposed by Chaum fl. It is a protocol 
for a receiver to obtain a signature from a signer such that the signer’s view 
of the protocol cannot be linked to the resulting message-signature pair. The 
physical analog of blind signatures of Chaum is the following: the receiver writes 
a message on a paper, puts the paper and a carbon paper into an envelope. The 
signer writes his signature on the envelope. Due to the carbon paper, the signature 
is copied onto the paper. Only the receiver can present the signed message and the 
signer cannot get hold of the signed message and the signature. Blind signature 
schemes have been used in various cryptographic protocols to provide anonymity 
of some of the participants, including the generation of anonymous access tokens 
and credentials, voting protocols, and electronic payment systems 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 1~^| 1999. 
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All the existing blind signature schemes (e.g., were designed to provide 
perfect anonymity. That is, it is impossible for anyone except the receiver to 
link a message-signature pair to the corresponding instance of the signing pro- 
tocol. However, it has been noted that perfect anonymity could result in perfect 
crimes In the case of anonymous access tokens, a malicious user could ac- 
cess a system and create a lot of damages without being traced back. In the case 
of anonymous electronic payment, blind signatures prevent anyone (except the 
payer) from linking the withdrawal of cash and the payment made by the same 
payer. This could result in perfect black-mailing or money laundering. There- 
fore, it is necessary to design blind signature schemes which provide receivers’ 
anonymity in normal circumstances, and should need arises (e. g., for law en- 
forcement and audit trail), it allows a trusted party (trustee) to revoke receivers’ 
anonymity. 

Blind signature schemes allowing anonymity revocation by a trustee or trus- 
tees have been studied in some literatures. In fair blind signature is pro- 
posed; one of the their scheme requires the trustee(s) to be on-line during the 
signing stage. The other two schemes use off-line trustee(s) by exploiting cut- 
and-choose technique. In Q and anonymity revocation can be achieved 
without the trustee(s) being involved in the signing stage. For a good survey on 
this subject, the reader is refereed to Q. 

Most recently, a magic ink signature scheme is proposed in Q. It is a group 
blind signature scheme which requires n signers to take part in the signing stage 
and allows k < n signers (instead of trustees) to perform anonymity revocation. 
The physical analog of this magic ink signature is the following (Q): the signer 
puts a paper and a carbon paper into an envelope. The receiver writes the doc- 
ument on the envelope using magic ink - the ink that is only visible after being 
“developed” . The signer then writes his signature on the envelope. Due to the 
carbon copy, both the receiver’s document and the signer’s signature appear on 
the internal paper. Finally, the receiver gets the paper and the signer keeps the 
envelope with the magic ink on it. Should the signer need to unblind the docu- 
ment, he can then get the document copy on the envelope by developing the magic 
ink. 

In this paper, we propose a new type of “magic ink” signatures from a com- 
pletely different approach. Our “magic ink” signatures have the following phys- 
ical parallel: the receiver places a document with a carbon paper on top in an 
envelope and hands it over to the signer. The signer signs on the envelope. Due 
to the carbon paper, this results in the signature being written on the document 
paper. Then the signer writes the receiver’s identity on the back of the envelope 
using our new “magic ink” - an invisible ink that penetrates the envelope and 
be written on the back of the document paper where it becomes visible only af- 
ter being “developed” by a trustee. Finally, the receiver gets the document paper 
with the signer’s signature on one side and the invisible ink on the other side. 
The receiver may pass the paper to anyone, who in turn may pass it further. To 
revoke a receiver’s anonymity, the trustee and only the trustee can develop the 
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magic ink on the signed document. As a result, there is no need for anyone to 
keep the used enuelopes. They can be thrown away after the signing stage. 

In the original magic ink signatures as well as in all the previous fair 
blind signature schemes (Q and ^9), trustees need to search a database to 
obtain a transcript of the corresponding signing protocol instance in order to 
trace the signature receiver. In other words, to establish anonymity revocation, 
the trustees need to know some information which was produced in the signing 
stage and kept by the signers. This means that the trustees must get assistance 
from the signers in order to do anonymity revocation. The novel feature of the 
new magic ink scheme proposed in this paper is that anonymity revocation is 
made transcript irrelevant. That is, the trustee can revoke a receiver’s anonymity 
based solely on the information embedded in a signature, not on any additional 
information; therefore, it can be completely accomplished by the trustee along. 
Hence, no one else, except the trustee, knows who is being traced. This might 
be a required feature for law enforcement in certain cases. 

The rest of the paper is organized as follows. In Section 2 we first present the 
concept of disjoint orbits and then describe the basic idea of the proposed new 
scheme. In Section 3 we introduce a few cryptographic protocols for concealing 
starting points of disjoint orbits and for proving equality of logarithms respec- 
tively. The proposed new scheme is formally described in Section 4 which is then 
followed by illustration on its security in Section 5. A discussion on our protocol 
implementation is given in Section 6. Finally, Section 7 contains our concluding 
remarks. 



2 Disjoint Orbits and Outline of the New Scheme 

The concept of disjoint orbits is to partition a signature “space” into “disjoint 
orbits” and confine each user or receiver to a different one. One method to realize 
disjoint orbits as proposed in ^ by Desmedt is as follows. 

Let p, qi, q 2 ,---,qn be all (odd distinct) primes such that 

n 

P = 2 1]^ -k 1. 

2=1 



Let gp be a generator of Z* (i.e., Z* = {gp)) and let g = gp modp. Then g is 
a generator of Gq C Z*, where Q = 0"=! T and Gq is the subgroup of Z* of 
order Q. Later, all our discussions are restricted within Gq = (g). Let a be a 
binary string of length n, say a = (6162 • ■ • 6^)2 with bi being 0 or 1. Define 

9a = 9^'=^ mod p. 

Apparently, ga has order Q/ 0”=! 9i' ^ ~ (^1^2 • • • bn) 2 - For any a, if s is 

relatively prime to Q (i.e., gcd(s, Q) — 1), then ga and p® have the same order. 

We are now ready to state the outline of our scheme. A trustee constructs 
many disjoint orbits which can only be distinguished by himself. Then he shows 
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the starting points ga of these orbits to the signer, where a is a binary string 
of length n (hence the maximum number of disjoint orbits is 2" — 2, excluding 
the cases of a = (0 • • • 0)2 and (1 • • • 1)2). The signer places each receiver on a 
different starting point ga by assigning a as the receiver’s identity (ID). A blind 
signature on a message issued to a receiver is based on ga- To provide receiver 
anonymity, in addition to the message, ga is also blinded to 

G = g a mod p 

with s randomly chosen by the receiver. With negligible probability, the receiver 
can choose an s such that has different order from that of ga (i-e., to randomly 
choose an s such that s has non-trivial common factors with Q) . To revoke the 
receiver’s anonymity on the signature, the trustee, who knows qi,q 2 , - • • ,qn, can 
trace the receiver from G by calculating its order as follows. First assume its 
order is Y\a=i with 61, ..., unknown. Then, for i = 1, 2, ..., n, check to see 
if = 1 (mod p) or not. If the equality holds, let bi = 1; otherwise bi = 0. 



3 Cryptographic Protocol Building Blocks 

Before presenting the details of our scheme, we describe some protocols for gener- 
ating blind signatures and for proving equality of logarithms respectively. These 
previously known protocols will be used as building blocks in constructing the 
new scheme in the next section. 



3.1 Blind Signature Concealing the Starting Point 

Let p and q be primes such that q \ p — 1, g he a,n element of Z* of order q, 
X G Zq he the private key of the signer and h = g^ mod p be the corresponding 
public key. Further, let Ti. denote a cryptographic one-way hash function from 
arbitrary length input to fixed length output and m denote the message to be 
signed. To make our notations compact, we will assume that all the exponential 
computations are done in Z*, and all the computations between components are 
done in Zq. 

Protocol 1 

1. The signer randomly chooses w € Zq, sets a' = g™ and sends a' to 
the receiver. 

2. The receiver randomly chooses u,v G Zq, calculates a = a'g'’h'^, 
c = 7i{m, a) and c' = c + u, and sends c' to the signer. 

3. The signer sets r' = w + dx and sends r' to the receiver. 

4. The receiver checks whether a' = g’’ h~‘^ . If yes, he accepts r' and 
sets r = r' + v. 

5. The receiver outputs (r, c) as the signature of m. The verification of 
the signature is to check c = H{m,g'^h~‘^). 
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Protocol 1 is developed based on the Schnorr signature and has been dis- 
cussed in many references, such as in The central idea of the 

Schnorr signature is to use a hash function as a random oracle in place of the 
random challenge generated by the verifier in the Schnorr identification protocol. 

We will use Protocol 2 below, a variant of Protocol 1, in our new magic ink 
signature scheme. In Protocol 2, besides g and h = we also have ga and 
ha = g%. The pair g^ and ha are specified as the base for the receiver with 
identity a. Protocol 2 is a blind signature protocol which conceals ga and ha- 

Protocol 2 

1. The signer randomly chooses w £ Zg, sets a' = g^ and sends a' to 
the receiver. 

2. The receiver randomly chooses s,u,v G Zq, calculates a = {a' g'^h'^’^ , 

G = ga,H — ha, c = 7t(m, a, G, H) and c' = c + u, and sends c' to 
the signer. 

3. The signer sets r' = w + c'x and sends r' back to the receiver. 

4. The receiver checks whether a' = g” . If yes, he accepts r' and 

sets r = r' + v. 

5. The receiver outputs (r, c, G, H) as the blind signature on m. The 

verification of the signature is to check c = 7f(m, G, H) and 

H = G^. 

Note that in Protocol 2, it is essential to check the condition H = G^ in ver- 
ifying the signature; otherwise, anyone without knowing x, can find (r, c, G, H) 
such that c = 7f(m, G^H~‘^, G, H) by arbitrarily choosing G and y and then 
setting H = G^. Checking the validity oi H = G^ is equivalent to proving that 
logg H — logg h. Such a proof cryptographically binds G, H to the signer (since 
g and h are publicly known to be from the signer) . Fortunately, this can be done 
without revealing x as described in the next Paragraph. 

3.2 Proving Equality of Logarithms 

The method of proof of equality of logarithms enables a prover to 

prove to a verifier that log^ H = logg h without revealing x, where H = G^ and 
h = g\ 

Protocol 3 

1. The prover randomly chooses w G Zq, computes a = g'^ , A = G™ 
and sends a and A to the verifier. 

2. The verifier randomly chooses c G Zq and sends c to the prover. 

3. The prover sets r = w + cx and sends r back to the verifier. 

4. The verifier checks whether a = g'~h~‘^ and A = G^H~‘^. If yes, the 
proof is accepted. 

For discussions on the security of the above protocol, the reader is referred 
to Q. Replacing the random challenge c by the output of a hash function. 
Protocol 3 can be modified to Protocol 4 in which a prover issues a certificate 
to prove that log^ H — logg h. 
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Protocol 4 

1. The prover randomly chooses w G Zq, calculates a = g"^, A = G™ 
and sends a and A to the verifier. 

2. The verifier calculates c = H{g,h,G,H,a,A) and sends c to the 
prover. 

3. The prover sets r = w + cx and outputs (r, c) as the certificate of 
logg h = logo H. 

4. The verification of the certificate is to check whether 

c = n{g, h, G, H, g'^h-‘^, G'^H~‘^) 

holds. 

Note that Protocol 4 can be non-interactive by having the prover computes 
c = ?i(5, h, G, i?, a, A) in Step 2. 

In the next Section, we combine disjoint orbits, Protocol 2 and Protocol 4 to 
arrive at the new magic ink signature scheme. 



4 Description of the New Scheme 

Environment Description There are less than 2” — 2 users or receivers. Each 
receiver has an identity a which is a binary string of length n (a yf (0 • • • 0)2 and 
(1 • • • 1)2). There are a number of signers and one trustee. 

Set-up of the trustee The trustee secretly generates n primes gi, • • • , such 
that p = 2 nr=i + 1 is a prime. For each a = (6162 • • • 6„)2, he computes ga = 

grii=i ^ where g is an element of Z* of order Q = Hr=i 9*- trustee then 
publishes g and all ga while keeps all the qi secret. We assume that factorizing 
Q is difficult. Under this assumption, a randomly chosen number from Zq will 
have common factors with Q with negligible probability. 

Signers’ Keys Each signer randomly chooses a x G Zq as its private (signing) 
key and publishes h = g^ and ha = g% for all the a as the public keys. By 
Protocol 4, the signer can prove to anyone that logg h = logg^ ha for all a, i.e., 
the signer has published correct h and ha- 

The Signing Protocol When a receiver (with identity a) goes to a signer (with 
signing key x), the receiver gets a blind signature on a message m by running 
the following protocol with the signer. 

Protocol 5 

Part I 

1. The signer randomly chooses w G Zq, computes a' = g™ and sends 
a' to the receiver. 

2. The receiver randomly chooses s,u,v G Zq, computes a = {a' gah'^Y , 

G = g^, H = hY c = H{m, a, G, H) and c' = c + u, and sends c! to 
the signer. 
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3. The signer sets r' = w + c'x and sends r' back to the receiver. 

4. The receiver checks whether a' = g” . If yes, he accepts r' and 
sets r = r’ + v. 

Part II 

5. The signer randomly chooses W G Zq {W must be different from 

w), computes A' = and B' = , and sends A' and B' to the 

receiver. 

6. The receiver randomly chooses U,V G Zq, calculates 

A = (A'yC^H^ 

for the same s, G, and H as in Part I, and B = B' g^ . Then he 
calculates G = Ti{A^ B, G, H, r, c) for the same r and c as in Part I, 
sets C = C + U, and sends G' to the signer. 

7. The signer calculates R' = W+C'x and sends R' back to the receiver. 

8. The receiver checks whether A! = g^ h~^ and B' = g^ h~^ . If yes, 
he accepts R' and sets R= R' + V. 

Finally, the receiver outputs (r, c, i?, G, G, H) as the blind signature of 
m. The verification of the signature is to check for equality of both 

c = 7f(m, G’'i7"^ G, H) and G = g^h~^ , G, H, r, c). 

Anonymity The receiver can later show (r, c, R, G, G, i7, m) to anyone, includ- 
ing the signer. The signer has {w,W,r' ,c' , R' ,C , a' , A' , B') as the transcript of 
the instance of the corresponding signing protocol. Knowing the signature even 
by the signer does not reveal any correlation between (r, c, R, G, G, H, m) and 
{w,W,r',c',R',C',a',A',B') nor does it reveal the receiver’s identity (i.e., a). 
We will explain this in detail in the next Section. 

Anonymity Revocation When need arises, (r, c, R, G, G, H, m) is brought to 
the trustee who can find out the receiver’s identity a by computing the order of 
G. As has been shown in Section 2, computing the order of G is very easy with 
the knowledge of qi,q 2 ,---,qn- Hence, the trustee can easily trace the receiver 
directly from the signature. However, to ensure correct anonymity revocation, 
the signing protocol must guarantee that the resulting G is really obtained from 
ga raised to sth power, where s has no common factor with Q. We will explain 
in the next Section that this is indeed achieved by the protocol except for a 
negligible probability. 

5 Security Of the New Scheme 

In this Section, we present some discussions on the security of Protocol 5, the 
main result of this paper. 

Correctness The correctness of Protocol 5 is easy to see since we have 

Gr^-c ^ ^r'+vjj-c'+u ^ = (a')"G”i7“ = a, 

GRr-^ = G^'+^H~^'+’^ = G^'h-^'g^H^ = {A'YG^H^ = A, 
gRh-^ = g^'+^h-^'+^ = g^'h-^'g^h^ = {B'YG^H^ = B. 
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Hence, we have 

c = H{m, G, H) and G = H{G^H~^, g^h~^, G, H, r, c), 

assuming that both the signer and the receiver execute the protocol correctly. 

Soundness First we show that, without knowing log^ h, it is computational 
infeasible to find G and R such that G = Ti{G^H~^ , g^h~^ , G, H, r, c). To this 
purpose, we view H{G^H~^ ,*,G,H,r,c) as a new hash function Then 

finding G and R such that G = H' (g^h~^) is computational infeasible without 
knowing log^ h. The Schnorr signature scheme also requires this property. 

Secondly, we show that 

G = n{G^H~^, g^h~^, G, H, r, c) 

guarantees logg. H = log^ h except for a negligible probability. Here we can ig- 
nore the items r, c, which are used for another purpose (to be explained later). 
Hence, we can write G = H{G^H~^ , g^h~^ ,G, H,r,c) as G = H'{G^H~^ , 
gRh~c ^ G, Ff, ), which is like Protocol 4. Since Protocol 4 is derived from Proto- 
col 3, we consider Protocol 3 here (the validity of evolving Protocol 3 to Protocol 
4 has been discussed in previous literatures). The difference between the envi- 
ronment of Protocol 3 and that of Protocol 5 is that g is a prime in the former 
while Q is a composite in the latter. However, this difference does not affect the 
validity of Protocol 5 since Q is the product of n large primes with n compara- 
tively small. Suppose H = G® , h = g^ and x' x. The prover can succeed in 
cheating if and only if he can find w and w' such that for the challenge c given 
(after choosing w and w') by the verifier, G’’ = G™ and g^ = g^h^ hold for 
some r. That is, r = w' P x'c mod ord(G) and r = w xc mod ord(g) = Q. 
Hence, we should have at least one qi such that w' x'c = w xc mod qi, i.e., 
c = {w' — w)/{x — x') mod qi- This implies that for any given w and w', the 
probability that the verifier chooses the “right” c is at most 1/qi- 

Anonymity We now show that the signer is unable to trace any signature, say, 
(r, c, R, G, G, H, m), to the transcript {w, W, r', c' , R' , G', a', A', B') produced by 
the corresponding signing protocol instance. Observe that d = c-\-u and r = r' -\-v 
for randomly chosen u and v, and u and v are kept secret by the receiver. Hence, 
r and c are perfectly blinded. Similarly, we have G' = G U and R = R' V, 
where U and V are also secretly and randomly chosen by the receiver. Therefore, 
R and G cannot be determined from R' and G'. We also have G = gf and H = hf 
for secret s. As a result, ga can not be linked to G. 

Trying to “match” (r, c, R, G, G, H, m) with {w, W, r', c', R', G', a', A', B') by 
checking G = , B'g^~^ h^ ,G,H,r,c) does not help at all. This 

is because we have B' = g^ h~^ for every transcript. Hence, every transcript 
{w,W,r',c',R',G',a',A',B') can “match” every signed message 

(r, c, R, G, G, H, m), 

i.e., they “match” even they are produced from different signing protocol in- 
stances. 
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Anonymity Revocation This is the central function of Protocol 5. We need 
to show that it is impossible, except with negligible probability, for the receiver 
to mislead the trustee by present G and H other than specified by the protocol. 

Apparently, the receiver can find c and r satisfying c = 7t(m, G^H~‘^, G, H) 
by simply choosing G and H such that H = G^ for some y. However, our 
protocol requires that G and H must satisfy G = H{G^H~^ , g^h~^ , G, H, r, c). 
This in turn implies that the G and H chosen by the receiver must satisfy 
logg h = logg H, i.e., x = y. This can only happen with a negligible probability; 
otherwise, the receiver can find the signer’s private key. 

Protocol 5 is divided into two parts. Part I and Part II. This is necessary 
since otherwise, the receiver can present G and H as powers of g and h. In this 
case, the signature will be verified as valid but the order of G will be different 
from that of ga- To avoid this from happening, we have r and c appear in 
G = H{G^H~^ , g^h~^, G, H, r, c). By doing so, we force Part I to be completed 
before Part II. In this way, the receiver has no other choice than setting G = (ga)^ 
for some s, since only a' = g™ is given to the receiver in Part II. 

The only way for the receiver to present a G having different order from that 
of ga is that he chooses a s such that it has a common factor with Q. This 
happens with a negligible probability. 



6 Implementation 

In the security proof in Section 5, we imply an assumption that each receiver 
goes to each signer to get blind signature only once. Therefore, the application 
of this scheme is limited to the situation where each receiver gets each signer’s 
signature only once, such as for registration scenario. 

For multiple signing application, such as bank and users, the implementation 
should be like this: a is divided into two parts, a = 0102, where |ai| = rii, 
I02I = n 2 and \a\ = n = ni + n^. oii is used as the identity of a user while 02 
is the index to show that this is the a2-th time the user a\ coming for blind 
signature. 

The signer, therefore, needs to keep a counter for each a\. The content of the 
counter is «2- When a\ comes for blind signature, the signer does it with gaia 2 
and then updates the counter to «2 + 1- 

In this case, we can have 2"^ receivers and each receiver can have 2”^ blind 
signatures from each signer. (But receivers (00- •• 0)2 and (11 ••• 1)2 can only 
have 2”^ — 1 blind signatures.) 

The trustee need not go to any signer for just tracing the receiver, but needs 
to check with the signer for tracing each transaction(or tracing coin). 

It should be pointed out that our scheme is less computationally efficient 
than the previous schemes. For example, we take the sizes oi p,q\,q 2 , ■■■,qn,n in 
our scheme as follows: n = 30 and each qi has 300 bits. Let rii = 20, ri2 = 10. 
The scheme can support about one million users. Each user can have 1000 blind 
signatures from each signer. 
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With these parameters, p has about 9000 bits which is about 8.8 times larger 
than the typical value of p (i.e., 1024 bits); To increase the speed of Protocol 
5, we can restrict the size of x, w, s, r, — c, u, v, W, R, —C, U, V. It is not neces- 
sary to choose them from Zq for the security purpose. By suitable adjustment, 
we can make all the exponential computations in the protocol have relatively 
small power, independent to Q. Therefore, computing exponential mod p in 
our scheme is about 8.8^ = 77 times slower than a 1024-bit exponentiation. In 
fact, the exponential computation for large modulus p with small exponent has 
complexity smaller than 0(|pp). This is because FFT-based multiplication plus 
Montgomery’s method can reduce the complexity to 0{\p\ log \p\ loglog |p|). FFT 
method is efficient only to large p, therefore, meets our setting very well. 

Of course, above parameter sizes may be not sufficient for certain applica- 
tions. Then we can enlarge the parameter sizes at low extra cost. For example, 
if we enlarge n to 60, the system can contain 2“^^ users with each user having 
one million possible signatures from each signer. On the other hand, the system 
is slowed down by a factor smaller than 2^ = 4. 

Remarks on the Factorization of Q The security of our scheme is based on 
the hardness of the factoring Q. Here Q is a product of some 300-bit primes. Q 
itself has nearly ten thousand bits. It is apparently that any factoring algorithm 
whose complexity depends on the size of Q cannot be feasible for factorizing 
Q. Currently two factoring algorithms have complexity dependent on the size of 
the prime factors. One is Pollard’s algorithm which requires the prime factors 
being smooth. Therefore, this algorithm can be resisted by choosing secure prime 
factors. The other is so-called Elliptic Curve Factoring. It is estimated that ECF 
so far is infeasible to factor the integer with 300 bit prime factors. In our scheme, 
the ECF is more infeasible due to the large size of Q(the ECF needs to do 
exponential computations over Zq). 

7 Conclusions 

The new magic ink signature scheme we have presented in this paper is a blind 
signature scheme with anonymity revocation. The major difference between our 
scheme and the previous schemes is that our scheme is transcript irrelevant 
in performing anonymity revocation while the previous schemes are not. More 
specifically, the trustee can trace a receiver’s identity directly from a signature; 
he does not need to search the transcript of the corresponding signing protocol 
instance. Therefore, in our scheme the trustee can do the anonymity revocation 
along. In addition, each signer need not maintain a huge database to store all 
the transcripts for later revocation. 
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Abstract. In this paper we consider a special type of dual basis for finite 
fields, GF{2^), where the variants of m are presented in section 2. We 
introduce our field representing method for efficient field arithmetic (such 
as field multiplication and field inversion) . It reveals a very effective role 
for both software and hardware(VLSI) implementations, but the aspect 
of hardware design of its structure is out of this manuscript and so, here, 
we deal only the case of its software implementation(the efficiency of 
hardware implementation is appeared in another article submitted to 
IEEE Transactions on Computers). A brief description of several advan- 
tageous characteristics of our method is that (1) the field multiplication 
in GF(2^) can be constructed only by m -1- 1 vector rotations and the 
same amount of vector XOR operations, (2) there is required no addi- 
tional work load such as basis changing(from standard to dual basis or 
from dual basis to standard basis as the conventional dual based arith- 
metic does), (3) the field squaring is only bit-by-bit permutation and it 
has a good regularity for its implementation, and (4) the field inversion 
process is available to both cases of its implementation using Fermat’s 
Theorem and using almost inverse algorithmj^J, especially the case of 
using the almost inverse algorithm has an additional advantage in find- 
ing(computing) its complete inverse element(i.e., there is required no 
pre-computed table of the values, x~^ , k = 1,2, . . .). 



1 Introduction 

Field arithmetic is fundamental in the implementation of Elliptic Curve Cryp- 
tosystem(ECC), one of the public key cryptosystems suggested by N. Koblitz ^ 
and V. Miller Q. To achieve an effective ECC, there needs efficient implementa- 
tions of field arithmetic operations. Among these operations, the field multiplica- 
tion and the field inversion are very critical to the time/hardware complexity of 
their software and hardware implementations. In general, there are three meth- 
ods to represent the field elements in GF{q'^) depending upon what type of 
basis is used for the field, polynomial basis(standard basis), normal basis, or 
dual basis. It is known that the dual basis multipliers are the most hardware 
efficient multipliers available, both in bit-serial and in bit-parallel designs Q, 
y, Q. But in its software implementation as well as such a hardware imple- 
mentation with dual basis, one should pay some additional costs, such as basis 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 12-^| 1999. 
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conversion and a little of additional complexity in the implementation of field 
squaring. Here, in this manuscript, we insist that there exists a special type of 
dual basis over which the performance and implementing effectiveness of field 
arithmetic(field multiplication and field inversion) surpass those over optimal 
normal basis^^^J or trinomial standard basis (optimized polynomial basis). 

Whatever basis is used to represent the field elements of C?F(2"*), each of 
them has its simplified and effective form, so called trinomial standard basis, opti- 
mal dual basis(which is dual to a trinomial basis)H, optimal normal basis^3(of 
which multiplication table has the least number(2m — 1) of nonzero entries). 

As said previously, in our special type of dual basis of GF(2"*) over GF{2), 
the field arithmetic operations can be accomplished with gaining both benefits 
of dual basis and normal basis(or optimal normal basis), where m is the field 
extending dimension over GF(2) on which the first type of optimal normal basis 
exists, i.e. 

m = 4, 10, 12, 18, 28, 36, 52, 58, 60, 66, 82, 100, 106, 130, 138, 148, 

162, 172, 178, 180, 196, 210, 226, 268, 292, 316, 346, 348 •• • 

Note that our dual basis is not a self-dual normal basisQ. In the following 
subsection, we describe some mathematical background for general dual basis 
and in section 2, there is presented our method to implement field arithmetic 
operations. In section 3, we describe our implementing algorithms(for the aspect 
of their VLSI design, we have described it in another article). 



1.1 Dual Basis 

Throughout this paper it is assumed that the reader is familiar with the basic 
theory of finite fields, and for more details one may refer to B]. Let Tr{-) be 
the trace function of GF{q^) to GF{q) defined by 

m— 1 

Tr{a) 

i=0 

which is a special type of linear functional (linear transformation) of GF{q^) to 
GF{q). In general, there are g"* linear functionals of GF{q^) to GF{q) and by 
them we can define the general duality between two bases and {'0i} for 

GF{q"^) such as the following. 

Definition 1. Let f be a nontrivial linear funetional ofGF{q'^) to GF{q). Any 
two bases, {^Pi\ and are called dual with respect to f if they satisfy the 

following equation. 






1 ,ifi = j 
0 ,ifi¥^j 



Theorem 1. Every basis for GF(q^) has its unique dual basis with respect to 
any given nontrivial linear functional f of GFijf^) to GF{q). 
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Theorem 2. If {^pi} and {ifi} are dual bases for GF{q^) to each other, then 
any element a G GF{q^) represented via [pi] can be rewritten in the form of 

m— 1 

a = ^ f{aipi)'il;i 
2=0 



via the basis 

Here we describe a bit serial multiplier due to BerlekampH which uses a 
self-dual basis representation. Let 

p= - 

be a polynomial(standard) basis of GF{2F) over GF{2), p{f) is the minimal 
polynomial of a, and let 



be its self-dual basis with respect to trace function Tr{-), i.e. ifj = aG j = 
0,1, ■ ■ ■ ,m — 1 and Tr(a'^tpj) = 1 if i = j and = 0 if z j. And let p{t) = 
'Y^T=o minimal polynomial of a over GF(2),i.e. the field defining 

irreducible polynomial for GF{2F). Then for each x G GF{f2F), we have 

m— 1 m— 1 m—1 

a; = ^ Xia^ = ^ Tr{xa'')ifi = ^ 

2=0 2=0 2=0 

where [a;]i are the coordinates of x with respect to the dual basis if - Then we 
have 

[ax]j = Tr{ax ■ a^) = Tr(a^'^^x) = [x]j+i, 
for 0 < j < m — 2, and 

[ax]m-i = Tr{a^x) = Tr{Jff^o^ Pi^'x) 

= ET=~o'PrTr{a^^) = j:Z~o'p.[x],. 

This mechanism is in charge of the very critical role in the field multiplication 
process based on a dual basis. For the concrete explanation, let y = YlT=o Vi^'' ^ 
C?F(2"*), then for each k, 0 < k < m — 1, 



[xy]k 



m— 1 

X ^ % 



m— 1 

^ yj[a^x\k 
i=o 



m— 1 

E 

j=0 






3- 



Thus the product of x and y with dual based coordinates can be obtained by 
the computation diagram in Fig.l, in that figure, 0 denotes the bit-by-bit XOR 
operation and 0 denotes the bit-by-bit logic AND operation which are the two 
field operations in GF{2). 
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Fig. 1. Block diagram for general dual basis multiplication 




As seen in Fig.l, in the general case (non self-dual), the product of two el- 
ements in GF{T^) using dual basis representation requires the extra work to 
convert one of the two elements into the representation over its dual basis(or 
from dual to standard basis) and it can be easily checked to note that for the 
simplicity of the upper XOR-summation part in Fig.l, one selects a very sim- 
ple(small number of nonzero terms) irreducible polynomial, i.e., trinomial, etc., 
for optimized dual basis^^. 

From the Fig.l, we can easily get the following theorem in generalized form. 

Theorem 3. Let a be a root of the irreducible polynomial defining the field, 
GF{q^). And let if = {ifi\ be the dual basis to the standard basis = {a*} with 
respect to a linear functional f of GF{q^) to GF(2). 

If for x,y,z G GF{q'^), xy = z then the following relation holds, (in the 
following, [-]j means the coefficient over the dual basis if.) 



f{y) f(.ya) ■ ■ ■ f{ya^ ^) 




'Xo 




\ 1 


f{ya) fiya^) ■ ■ ■ f{ya^) 




Xl 


— 


f{za) 


_/(ya'""i) f{ya^) ■ ■ ■ 




-Xm—l - 




./(za— 1). 






( 1 ) 
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Let’s denote the above matrix equation by M(y) • x* = z*, where the super- 
script, t, denotes the transposition. 

2 Description of the Theoretic Evolution 

2.1 Circular Dual Basis 

Throughout the following, it is assumed the characteristic of GF{q) is 2, i.e. q is 
a power of 2. In this section we propose a new type of dual basis named circular 
dual basis and extract some useful results from it for the field arithmetic. 

Definition 2. Let p{t) be a nonzero polynomial over GF{q), where q is a prime 
power, and p{0) ^ 0. Then the least positive integer e for which p(t) divides F — 1 
is called the order (or period) of p and denoted by ord{p{t)). 

For the convenience, let’s call the polynomial 

p{t) = 1 + t H hi"* GGF{q)[t] 

by compact polynomial of degree m over GF{q). 

Theorem 4. For a positive integer m > 2, if m 1 is prime number and m is 
the multiplicative order of q modulo m+1, then there exists a unique irreducible 
compact polynomial p(t) of which degree m and of which order is m + 1 . That is, 
p{t) = 1 + t + • • • + t"* is irreducible over the field and it divides — 1. 

Proof. By theorem 3.5 in the number of monic irreducible polynomials 
in GF{q)[t] of degree m and order e is equal to (^(e)/m, where (p is a, Euler’s 
function. And in our case, e = m + 1, and so (p{e) = m. Hence the unique monic 
irreducible polynomial of degree m which divides — 1 is the very compact 
polynomial. □ 

We call by circular polynomial such compact and irreducible polynomial of 
which order is m + 1 as in the above and call by circular dual basis the dual 
basis of circular polynomial. For the concrete example, considering those over 
the field GF{2), we are led to the following result. 

Theorem 5. Over the field GF(2), there are circular polynomials of which de- 
grees are one of the following values m; 

m = 4, 10, 12, 18, 28, 36, 52, 58, 60, 66, 82, 100, 106, 130, 138, 148, 

162, 172, 178, 180, 196, 210, 226, 268, 292, 316, 346, 348 •• • 

= the set of all dimensions for which the first 
type of optimal normal basis over GF{2) exist. 

Proof. By the previous theorem, each degrees m of the circular polynomial must 
be a positive number such that q = 2 is a primitive element modulo the prime 
number m + 1 . And these are the same with the set of numbers which are the 
degrees on which the first type of optimal normal basis exists^Q^J. □ 
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Throughout the following, it is assumed that p{t) = ^ circular 

polynomial of degree m over GF(q), i.e. the irreducible polynomial over GF{q) 
of degree m which divides — 1). The m-dimensional extended field GF{q^) 
over GF{q) defined by the circular polynomial p{t) has the standard basis 

where a is a root of p{t) . 

Theorem 6. If we fix the linear functional in theorem 2 by the trace map Tr(-) 
of GF{q^) to GF{q), the dual basis tp = to the standard 

basis p are represented in the following form: 

tpi = a + 

= a + a^+^-\ 

Those can be also represented in the basis elements a* ’s of p such as; 



ipo = l + a, (2) 

m— 1 

^/>1 = s + a, s = ^ (3) 

i=0 

ipj = + a, j = 2,3, ■ ■ ■ ,m — 1. (4) 

Proof. By the theorem 1.5 in if 

g{t) = ft — a){/3o + flit + • • • + Pm-it'^ (5) 

then the dual basis is ip = {ipi}, where 

ipi= i = Q,l,- ■ ■ ,m-l. (6) 

5 (a) 



Through the expansion of equation(5), we can easily get the representations of 
/3i’s in the polynomial form of 

i+l 

1=1 



Furthermore g' {a) = 1 + + • — h o'” and note that 



fi + a)g' {a) = 1 + a + + ■ ■ ■ + ^ = 

^ 5 a = . Y 

a(l + a) 



( 7 ) 



Hence, by equation(6) and equation(7), we get 
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i+l 

= {a + Qf^) y^(o;~^)'^ 
i=i 

= (ct -t“ G;^)(l cx cx^ “t“ • • • “t“ (x^ 
= a + a™+i-L 



□ 

From the above, we easily get the following basis changing matrix Dq from 
the dual basis i) to the standard basis tp; 



{xiY = Do{[x\if 



'1 1 0 0 • • 


0 0 o' 


1 0 1 1 • • 


1 1 1 


0 1 0 0 • • 


0 0 1 


0 1 0 0 • • 


0 1 0 


0 1 0 1 • • 


0 0 0 


_0 1 1 0 • • 


0 0 0 _ 



Wo 

Wi 

W 2 

W3 






(8) 



Here we introduce one(bit) additional coefficient s[a;] for the utilized rep- 
resentation of X = ([a;]i) G GF{2^) over the circular dual basis such as the 
following: 



m— 1 

«w = Wi 

X = ([x]o, [x]i, . . over the dual basis 
X := ([a;]o, Wg---: W™_i,s[a;]) (9) 



We call the representation x by circular dual based representation. By this 
notion, the equation (8) can be rewritten as: 







'1 1 0 0 • • 


0 0 o' 




rwo 1 




Xi 




0 1 0 0 • • 


0 0 1 




Wi 




X 2 




0 1 0 0 • • 


0 1 0 




W2 




X 3 


= 


0 1 0 0 • • 


1 0 0 




W3 


( 10 ) 


Xm—1 




0 1 1 0 • • 


000 








0 




_o 0 0 0 • • 


0 0 0_ 




_sW . 





let’s abbreviate this eq. by x* = Hx* (11) 

Using the above utilities, we got the following theorem. 

Theorem 7. Let x,y,z G GF(2™), z = xy, and let 



(Wo, Wi, ■ • 


. , [a;]™_i, s[a;]) 


(Wo, [y]i,-- 


■, Wm-i,sW) 


(Wo, Wi,-- 


.,[z]m-l,s[z]) 
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be their circular dual based representations. Then, the equation( 1 ) can be rewrit- 
ten as the following form: 



. 

o 


[y]i [y ]2 ■ ■ 


[y]m -2 Mm-i s[y] 


s[y] 


[y]o [y]i •• 


[y]m -3 [y]m -2 Mm-l 


. 

1 


1 s[y] [y]o •• 


[y]m-i Mm-3 [y]m -2 


[y ]2 


[yh iyU ■ • 


s[y] Mo Ml 


LMi 


[y ]2 Ms • • 


Mm-l^M Mo 



= y^[x]jRotr{y, i), [a;]m := s[a;], 



(12) 



i=0 



where Rotr{y, i) denotes the rotated vector of y to the right by i positions. 
Proof. Note that 

Tr{ya") = [y]i z = 0, 1, . . . , m - 1, 

m— 1 m—1 

Tr(ya™) = Tr{y XI “*) = XI 



z=0 



z=0 



m+1 



= 1 . 



Using these notions, the equation(l) can be rewritten as in the following one bit 
expanded form. 



Mm-l s[y] 



• [y]m-i s[y] 

• s[y] [y]o 

• [ y ]^_3 [ y ] m -2 
■ [y]m-2 Mm-1 
let’s abbreviate this eq. by M(y)x* = z* 

•ym— 1 r 





a;o 




r Mo 1 




Xi 




[4 




^m—1 




Mm-1 




0 




L <5 J 



(13) 

(14) 



where <5 is not determined yet. It will be turn out to be ^ow, using 

the equation(lO) and (11), we replace the standard based representation of x 
appeared in the above equation by our circular dual based representation, then 
we got: 

MDx* = z* (15) 

Take the transposition of the both sides, then we are led to the new equation: 

xD*M* = z (16) 

Hence we get to know that the left hand side of equation(16) is the right hand 
side of the theorem. Furthermore, the fact that the sum of all row vectors in 
D*M* is zero- vector gives us the result S = This completes the proof. 

□ 

In the following section, with these results we deal the field multiplication, 
squaring, and field inversion. 
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3 Description of the Technique (Algorithm) 

In this section we describe the algorithms for efficient field arithmetic operations 
based on the previous results. 

3.1 Field Multiplication 

As one sees in the previous section, we got to know that 

X = ([a^]oj [3^] 1 ? ■ ■ ■ J 1 J j [x]m — X/i=l 

y = ([y]o, [y]i, ■ [y]™), [y]m = YT=~i^iy]i 

z = xy 

= *)■ 

From this we can easily construct the following very simple field multiplication al- 
gorithm in pseudo-code (Table 1); But note that ^otr{y, i) = zero vector. 



Table 1. Field multiplication algorithm(l) 



INPUT : X, y : circular dual based elements in GF{2^). 
OUTPUT : z = xy in circular dual based representation, 
z ^ 0 /* initialize z to be zero vector */ 
for {i = 0',i < m-,i + +) 

{ 

if ([x]i 7^ 0) z ^ z © AoU(y, i); 

} 



From this notion, we get more developed algorithm(see Table 2, but if we pre- 
pare the pre-computed table of rotated vectors of y then the above algorithm 
would be more effective); 



Table 2. Field multiplication algorithm(2) 



INPUT : X, y : circular dual based elements in GF{2^). 
OUTPUT : z = xy in circular dual based representation, 
z <— 0 /* initialize z to be zero vector */ 
if ((7^ of nonzero entries of x)> negate x; 
for {i = 0',i < m-,i + +) 

{ 

if ([x]i 7^ 0) z ^ z © AoU(y, *); 

} 



Hence we can achieve z = xy only by fc(< vector rotations and the same 
amount of vector XOR operations. 
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3.2 Squaring 

From now on, it is assumed that all coefficients of any element in GF{2™) over 
GF(2) were represented over the circular dual basis defined in the above. 

Theorem 8. Let x, y G GF{2™'), y = y? , and 



X = ([a;]o, Hi, • • • , Nm-I, [x]m = sH) 

y = ([y]o, [y]i, • • • , [y]m-i, [y]m = s[y])- 

Then the following equation holds; 



That is, 



ri 0 0 


•••000 


• • • 0 01 


0 0 0 


•••010 


•••00 


0 1 0 


•••000 


•••00 


0 0 0 


•••001 


•••00 


0 0 0 


•••000 


•••10 


0 0 0 


•••000 


•••00 


0 0 0 


•••000 


•••01 


0 0 0 


•••100 


•••00 



[y\2i = * = 

TTl 

[yhj-l = , j = 



(17) 



(18) 

(19) 



Proof. Since the characteristic of GF{2™) is 2, the squaring map is a linear 
transform. So it is sufficient for us to check the behavior of basis elements(i/>i’s) 
via the squaring transformation. First, recall that ipj = a + a~^ mod(m+i) 
j yf 1, then 



1 2 2 I —2j 

= a a 

= (ct -|- ct) -|- (cn ^ -\- ct) 

TTl 

= forj = 0,l,---,y - 1 



= 0^ + 0, since = 1 

— '0m— 1 

= «" + 

= (a2 + a) + (a-”‘+’-<“.'-‘> + a-) 




22 



C.-H. Lee, J.-I. Lim 



Hence 

TTl 

M2j = J = - 1, 

TTl 

[y\2j-l ~ \^]m/2+j ’ J 2, • • • , 1 

m— 1 

[y]^_i= Y. Ni = sW 

and moreover, 

m— 1 

s[y] = XI [y]i 

z^O 

m/2-1 m/2-1 

= X Wi+ X Wm/2+i + sN 

z— 0 z— 1 

= Wm/2 ■ 

This proves the theorem. □ 

In the above theorem, the squaring is only a bit-by-bit permutation based on 
the circular dual basis, that is this squaring process needs no logic operations in 
its hardware implementation. Let EXPANDk{-) be the function of GF{2^) to 
defined as, for given x G GF{2^)\ 

FXPANDk{yi)2j+i = 0, j = 0, 1, 2, . . . , fc - 2 
FXPANDk(x)2j = Xj, j = 0, 1, 2, . . . , fc — 1 

Then the squaring can be described by the following simple algorithm (Table 3), 
in pseudo-code; 

Table 3. Squaring algorithm 

INPUT : X = ([®]o, [*]i, . . . , [*]m-i, [x]m = s[®]); 

OUTPUT : x^ in circular dual based form; 

^ (No, Ni. • • • . Nf ); 
x"” ^ (N^+i. Nf^+2, • • • , [x]m, 0); 

Return x^ ^ EX PAND 2 ^{x^) ^(EX PAND 2 ^{x^) » 1); 



where the function EXPANDk{-) can be easily implemented by small mem- 
ory of table. 
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3.3 Conversion to Standard Basis 

We showed that the basis conversion matrix of circular dual basis to its standard 
basis is the matrix Dq appeared in the equation(8). From that equation, we get 
the following conversion equation in one bit expanded form(here, Xi& denote the 
coordinates over the standard basis and [a;]i’s denote the coordinates over its 
circular dual basis of x) : 



Xo 




■f 0 0 0 • • 


0 0 o' 




'No 




Ni 




Xi 




0 0 0 0 • • 


0 0 1 




Ni 




Ni 




X2 




0 0 0 0 • • 


0 1 0 




N2 




Ni 




X3 


= 


0 0 0 0 • • 


10 0 




Ns 


-h 


Ni 


(20) 


Xm—1 




0 0 1 0 • • 


0 0 0 








Ni 




0 




_0 1 0 0 • • 


0 0 0_ 




LNm J 




.Ni. 





This equation generates the following simple representation-conversion algorithm 
(Table 4) of a field element from circular dual basis to its standard basis: 



Table 4. Conversion to the standard based representation 



INPUT : X = ([®]o, [a:]i, ■ • ■ , [®]m) over Cir.Dual Basis. 
OUTPUT : X = (xo, xi, . . . , Xm-i, 0) over Stand. Basis. 

1. X <— rotate x by one bit to the left; 

2. if ([a;]i / 0) x <— negation of x; 

3. X ^ take the reciprocal of x; 



But, simply, we need only the line 1 and 2 for the inversion algorithm in the 
following subsection. 

3.4 Field Inversion 

We point out that, from the previous results, we can construct inversion algo- 
rithm by use of the hereto made multiplication and squaring algorithms and 
Fermat’s Theorem like as the optimized one in But here we construct 

it by some more fast inversion algorithm using almost inverse algorithn^^^ and 
its advantage in our circular dual basis. 

Let p{t) = ■ + be a circular polynomial, i.e. irreducible polynomial 

and p{a) = 0 in GF(2"*), then p{t) is a self-reciprocal, i.e. f^p{\) = p{t) and 
(yrn+i _ 2^^ a~^ = u and let 

A = aQ + a\a + aio? -I- • • • -h := A{a) G GF(2"*) 

= + am-2U + am-^u^ H h 

= G GF(2'"). 
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Then the two coefficient strings, A(a) and A(u) represented in the powers of a 
and u respectively, are reciprocal to each other. We can apply the almost inverse 
algorithm to A{u) with the reduction polynomial p(u) G GF{2)[u\. That is, We 
can find a polynomial in u, B(u), such that 

A{u)B{u) = mod p{u) (21) 

for some integer fc, 0 < k < 2(m — 1). And so B{a) = a"^~^B{u) is an almost 
inverse of A{a) with reduction polynomial p(a). Now the exact inverse of A(a) 
comes to the following(by multiplying to both sides of equation(21)); 

= ™ode m+i (-22) 

Note that, following the above notations, first, to convert the circular based 
element x into the u-polynomial type of A{u) is very simple and easy(see the 
section §3.3) and second, aG j = l,2,...,m, corresponds to the circular dual 
based element, Sm-j+i, of which all components are zero except only the (m — 
j + l)th component. The later tells us that the product of a circular dual based 
element x and in the circular dual based form can be easily achieved only by 
one vector rotation of x to the right by m — j + 1 positions(see section §3.1). 

Therefore we can describe the inversion algorithm (Table 5) for the circular 
dual based representation by the following pseudo-code (in the code, ROTLg{*, i) 
denotes the vector rotation of * to the right by i bit positions in the total size 
of s bits, and so does ROTRg{*,i) except the rotating direction converted): 



Table 5. Field inversion algorithm 



INPUT : x in circular dual based form; 

OUTPUT : x’l in circular dual based form; 

11. A(m) ^ AOTL,„+i(x,2); 

12. if {A{u)m A 0) negate A{u) in the first m -|- 1 bits; 

21. set: fc = 0, B{u) = 1, C{u) — 0, F{u) = A{u), G{u) = p(m); 

22. While(F(0) = 0) do F = F/u, C = C * u, k ^ k + 1-, 

23. if ( F = 1 ) goto 31; 

24. if ( deg(F)<deg(G) ), exchange F, G and B, G\ 

25. F = F®G, B = B®G-, 

26. goto 22; 

31. t ^ XOR sum of all coefficients in B{u); 

32. if (t 7 ^ 0) B — —~B + t * /* —-B : negation of B{m bits) * / 

33. ^ ROTRm+i(B,2)- 

34. k ^ (k — 2* (m — 1)) mod m -|- 1; 

35. if (fc = 0) return 

36. return x~^ = ROTRm+i (x~^, m — k + 1)-, 
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In the algorithm (Table 5), the lines indexed 11-12 in table-5 carry out the co- 
efficient conversion process of circular dual basis to the reciprocal(u-polynomial) 
of the standard basis, the lines indexed 21-26 in table-5 carry out the almost in- 
verse algorithm, and, finally, the lines 31-36 carry out the coefficient conversion 
process of the u-polynomial to the circular dual basis. Note that, in the lines 
22, 32, the division by u and the multiplication by u are simply accomplished 
by the left and right shift operations respectively. From this we see that, in the 
above inverse calculating algorithm, the representation converting part has very 
negligible implementation complexity comparing with just the almost inverse 
algorithm. 

In this section we did not mentioned the algorithm to solve a quadratic 
equation, since its performance do not have an influence on the performance 
or efficiency of the whole elliptic curve arithmetic. But even in that case our 
circular dual based representation gives a very efficient resolution routine with 
very high (recursive)regularity and without any basis conversion and any table 
memory. 



4 Attributes and Advantages of the Techniques 

4.1 Advantages over Other Representation Methods 

There are many advantages of this representation method for held arithmetic. 

With hereto presented results, its advantages are described as the following. 

1. There is not required any basis changing process for held multiplication, 
which is the extra work in the case of the conventional dual basis. 

2. The held multiplication can be implemented only by vector rotations and 
vector XOR operations, and so its code is much simpler and its performance 
is much better than those over optimized normal bases. 

3. The squaring of held element is just a simple bit-by-bit permutation and has 
a very high regularity. 

4. The held inversion using almost inwerseH algorithm can be implemented 
to calculate the exact inverse element with almost the same cost of just the 
almost inverse algorithm process, since the work to compute the production 
of the factor x~^ is reduced into only one vector rotating operation. 



4.2 Limitations of the Method 

As said in the previous sections, §1 and §2, the circular dual basis exists only 
for the finite held in which the first type of optimal normal basis exists. This, 
however, is not a severe limitation for the cryptographic system, since there are 
sufficiently many suitable fields which has circular dual basis for cryptographic 
goals. 
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Notes and Comments. 



• In the practical implementation of the circular dual based field arithmetic for 
ECC(Elliptic Curve Cryptosystem) over GF{2™), the binary representation 
of a field element takes the reversed order of the previously written form for 
one’s easy comprehension, i.e. 



a = {ao,ai, . = s[a]) ^ (a^ = s[a],am-i, ■ ..,ai,ao). 



And the additional dummy bit, s[a], should be appeared just during the 
inner ECC arithmetic process. 

• Following the above representation form, one would become aware of the 
following two facts. 



a. multiplicative identity in GF(2™) is (1, 1, . . . , 1, 0) 

b. For a = (a™, a™_i, . . . , oi, oo) G GF(2'"), Tr{a) = qq 



5 Performance 

5.1 Algorithm Analysis 

The table-6 shows the algorithm complexities to compute one field multiplica- 
tion and one field inversion (using almost inverse algorithm) in the three types 
of vector(field element in GF(2'")) representation methods. In the table, the 
abbreviations CDB, ONB, and TPB mean the Circular Dual Basis, Optimal 
Normal Basis, and Trinomial Polynomial Basis, respectively. And AIP denotes 
the Almost Inverse Process{lAie measurement was roughly estimated in average 
sense) . 



Table 6. Estimations for the Algorithm Complexities 



in GF(2"‘) 


CDB 


ONB 


TPB 


field 

multiplication 


•m -I- 1 vector rotat. 
• ^ vector XORs 
•m -I- 1 bit-scannings 


•2m vector rotat. 
•2m vector XORs 
•m vector ANDs 


• ^ vector shift operat. 
•m -|- ^ vector XORs 
•m bit-scannings 

• ^ table look-ups 


field 

Inversion 


• 1 AIP 

•2 vector rotations 


• 1 AIP 

•2 basis changes 

• 1 field multiplication 


• 1 AIP 

• 1 field multiplication 


static 

memory 


• 1 Kbytes 


•8 Kbytes 


•8 Kbytes 
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5.2 Performance of a Reference Implementation 

In the table 7, the process timings of our methods for various field operations in 
are presented, wherein they are compared with other efficient software 
implementationsBJ Ii.^ I for field arithmetic in by use of composite 

Galois Fields and by use of the multiplication table for GF(2^®) and trinomial 
standard basis. The present circular dual based implementation of our method, 



Table 7. Timings comparison for various field operations 





Our Method 
in GF(2i’’®) 


Method in ^3 


Method in 
in GF{2^'^^ 


in GF{2^“) 


in GF{2^‘°) 


Field 

Repres. 

Type 


Circular 
Dual Basis 
over GF{2) 


Trinomial 
Stand. Basis 
over GF{2) 


Trinomial 
Stand. Basis 
over GF{2^^) 


Trinomial 
Stand. Basis 
over GF{2^^) 


Total 

Table 

Memory 


< IKbytes 


< IKbytes 


> 256Kbytes 


> 256Kbytes 


Plat- 

forms 


Pentium 

133MHz 

V.C-l--l-comp. 


Pentium 
133MHz 
Watcom 10.6 
ANSI-C comp. 


Pentium 
133MHz 
Watcom 10.6 
ANSI-C comp. 


DEC alpha 
3000, 
175MHz 
64-bit word 


Square 


1.76/rs 


2.7 fis 


5.9jj.s 


4.23^s 


Mult. 


50/iS 


71.8/is 


62.7/is 


38.6/is 


Invers. 


160/rs 


225fis 


160^5 


158.7/rs 



as one sees in the above table, shows that it is very efficient in its software 
implementation(as well as hardware implementation) and by noting that the 
platform, DEC alpha 3000, has a very efficient RISC architecture for parallel 
processing of multi-instructions and that the simple processing structure of our 
circular dual based field arithmetic has a good parallelism, we see that it would 
be more faster than the others on the same platforms, DEC alpha 3000. 



6 Conclusion 

In this paper, we present a newly proposed implementation technique for an 
effective field arithmetic by using a special type of dual basis, named circular 
dual basis, and considered its efficiency in the field arithmetic operations. The 
proposed circular dual based implementation of various field operations seems to 
be more efficient both than those software implementations by trinomial stan- 
dard bases(and other bases, but consider the notion that trinomial standard 
based representation is believed to be the most efficient method for the software 
implementation of field operations) and than those hardware implementations 
by optimal normal bases(,this part was dealt in our another article). Finally 
we point out that our method is also available and efficient on such composite 
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Galois fields, GF((2”)"*), that gcd{m,n) = 1 and m is one of the numbers in 
theorem 5. This would be comprehended by intuition. 



References 

1. N. Koblitz, Elliptic curve cryptosystems, Math. Comp., 48 (1987), 203-209. 

2. V. Miller, Uses of elliptic curves in cryptography, Advances in Cryptology: Proceed- 
ings of Crypto’85, Lecture Notes in Computer Science 218 (1986), Springer- Verlag, 
417-426. 

3. E.R. Berlekamp, Bit-serial Reed-Solomon encoder, IEEE Trans. Information The- 
ory, vol. IT-28, pp. 869-874, Nov. 1982. 

4. C.C. Wang, T.K. Truong, H.M. Shao, L.J. Deutsch, J.K. Omura, and I.S. Reed, 
VLSI arehiteeture for computing multiplications and inversions in GF{2^), IEEE 
Trans. Comput., vol. C-34, pp. 1230-1234, Aug. 1985. 

5. Sebastian T.J. Fenn, Mohammed Benaissa, and David Taylor, GF{2^) Multipliea- 
tion and Division Over the Dual Basis, IEEE Trans. Comput., vol. 45, pp. 319-327, 
March 1996. 

6. J.L. Massey and J.K. Omura, Computational Method and Apparatus for Finite 
Field Arithmetic, U.S. Patent Application, submitted 1981. 

7. G.B. Agnew, R.C. Mullin and S.A. Vanstone, An implementation of elliptic curve 
eryptosy stems over F 2155 , IEEE Journal on Selected Areas in Communications, 
Vol. 11, no.5(June 1993), pp. 804-813. 

8. D.W. Ash, I.F. Blake, and S. Vanstone, Low eomplexity normal bases. Discrete 
Applied Math. 25(1989), pp. 191-210. 

9. T. Itoh, S. Tsujii, A fast algorithm for computing multiplicative inverses in GF{2^) 
using normal bases. Information and Computation, 78:171-177, 1988. 

10. R.C. Mullin, I.M. Onyszchuk, S.A. Vanstone, and R.M. Wilson, Optimal Normal 
Bases in GF{p^), Discrete Applied Maths., pp. 142-169, 1988/1989. 

11. A. Lempel and M.J. Weinberger, Self eomplementary normal bases in finite fields, 
SIAM J. Disc. Math., 1 (1988), 193-198. 

12. R. Lidl and H. Niederreiter, An Introduetion to Finite Fields and Their Applica- 
tions, Cambridge Univ. Press, 1986. 

13. Alfred J. Menezes, Applications of Finite Fields, Kluwer Academic Publishers, 
1993. 

14. R. Schroepel, H. Orman, S. O’Malley and O. Spatscheck, Fast key exchange with 
elliptic curve systems. Advances in Cryptology, Proc. Crypto’95, LNCS963, D. 
Coppersmith, ED., Springer- Verlag, 1995, pp. 43-56. 

15. P.K.S. Wah and M.Z. Wang, Realization and application of the Massey-Omura 
lock, in Proc. Int. Zurich Sem., Mar. 1984. 

16. S.T.J. Fenn and M. Benaissa, and D. Taylor, Finite Field Inversion Over the Dual 
Basis, IEEE Trans, on VLSI Systems, vol. 4, No.l, March 1996. 

17. J. Guajardo and C. Paar, Efficient Algorithms for Elliptie Curve Cryptosystems, 
Advances in Cryptology, CRYPTO’97, pp.342-356, 1997. 

18. Erik De Win, Antoon Bosselaers, and Servaas Vandenberghe, A Fast Software 
Implementation for Arithmetic Operations in GF{2^), Advances in Cryptology, 
ASIACRYPT’96, pp.65-76, 1996. 




On the Security of Random Sources 



Jean-Sebastien Coron 



Ecole Normale Superieure 
45 me d’Ulm 
Paris, F-75230, France 
coronSclipper . ens . f r 



Gemplus Card International 
34 rue Guynemer 

Issy-les-Moulineaux, F-92447, France 
coronSgemplus . com 



Abstract. Many applications rely on the security of their random num- 
ber generator. It is therefore essential that such devices be extensively 
tested for malfunction. The purpose of a statistical test is to detect spe- 
cific weaknesses in random sources. 

Maurer’s universal test is a very common randomness test, capable of 
detecting a wide range of statistical defects. The test is based on the 
computation of a function which is asymptotically related to the source’s 
entropy, which measures the effective key-size of block ciphers keyed by 
the source’s output. 

In this work we develop a variant of Maurer’s test where the test function 
is in theory exactly equal to the source’s entropy, thereby enabling a 
better detection of defects in the tested source. 



1 Introduction 

Random number generators are probably the most basic cryptographic prim- 
itives. They are widely used for block cipher, public-key (e.g. RSA-moduli), 
keystream generation and as passwords sources. In some algorithms (e.g. DSA) 
or protocols (e.g. zero-knowledge), random numbers are intrinsic to the compu- 
tation. In all these applications, security tightly depends on the randomness of 
the source. 

A pseudo-random generator is a deterministic polynomial time algorithm 
that expands short seeds into longer bit sequences, which distribution is po- 
lynomially-indistinguishable from the uniform probability distribution. In other 
words, the output bits must appear to be statistically independent and uniformly 
distributed. The first pseudo-random generator was constructed and proved by 
Blum and Micali, under the assumption that the discrete logarithm problem is 
intractable on a non-negligible fraction of instances Q. In the light of their prac- 
tical and theoretical value, constructing pseudo-random generators is a major 
concern. Procedures for ensuring the security of random number generators are 
becoming of great importance with the increased usage of electronic communi- 
cation 

It is nevertheless difficult to give a general and reliable measure of the cryp- 
tographic quality of a pseudo-random sequence. In practice, many different tests 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 29-^| 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 
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are carried on sequences generated by the random source to evaluate its perfor- 
mance. These practical tests are divided into two groups : complexity tests and 
statistical tests. Complexity tests evaluate how much of a generated string is re- 
quired to reconstruct the whole string Q while statistical tests evaluate whether 
the generator’s behaviour matches a specific probabilistic model. We refer the 
reader to Q for a general treatment of randomness tests. 

Maurer’s universal test is based on the stationary ergodic source with fi- 
nite memory statistical model Q. This model allows the computation of the 
source’s entropy, which, in turn, measures the number of bits of ’’unpredictabil- 
ity” . Failure to provide such unpredictability can weaken severely the security 
of a cryptosystem, as an attacker could use the reduction in entropy to speed-up 
exhaustive search on an otherwise secure encryption algorithm. 

However, Maurer’s universal test only provides an asymptotic measure of 
the source’s entropy. In this paper, we show that with a simple transformation, 
Maurer’s test function can yield the source’s entropy. Therefore the new test 
enables a more accurate detection of defects in the tested source. 

The paper is organized as follows: we first recall the basic definitions of the 
stationary ergodic source model and the asymptotic relation between Maurer’s 
test function and the source’s entropy. Then we propose a simple transformation 
of Maurer’s test so that the test function yields the source’s entropy. Then we 
study the distribution of the modified test and give a sample program. Finally, 
we compare the performance of the two tests with respect to different random 
sources. 

2 Statistical Model for a Random Source 

2.1 Definition 

Consider an information source S emitting a sequence C/i, C/ 2 , C 3 , ■ ■ ■ of binary 
random variables. S' is a finite memory source if there exists a positive integer 
M such that the conditional probability distribution of C/„, given Ui, , Un-i, 
only depends on the last M bits emitted Q: 



PUn\Ui...U^-i{Un\ui ■ ■ - Un-l) = PUrt\Urt-M ■ ■ .Ur^-i{^n\Un- M ■ ■ - Un-l) 

for n> M and for every binary sequence [ui, . . . , u„] S {0,1}". The smallest 
M is called the memory of the source. The probability distribution of C/„ is thus 
determined by the source’s state Sn = [C/n-M, ■ ■ ■ , Un-i] at step n. 

The source is stationary if it satisfies : 

PUr.lsA'l^W) = Pui\Si{uW) 
for all n > M, for u S (0, 1} and a e (0, 1}“. 

The state-sequence of a stationary source with memory M forms a finite 
Markov chain : the source can be in a finite number (actually 2^) of states Ci, 
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0 < z < 2^ — 1, and there is a set of transition probabilities Pi{aj\ai), expressing 
the odds that if the system is in state Ci it will next go to state aj . For a general 
treatment of Markov chains, the reader is referred to []]. 

(n) 

For a general Markov chain with r states, let be the probability of being 
in state ai at time t = n and let be the ’’state distribution vector” at time 
n, i.e., 

Let U be the transition matrix of the chain, i.e., Uij = Pr(aj\ai) where Uij 
is the element in row i and column j oi U . 

For state Uj at time n the source may originate from any state Ui at time 
n — 1 and thus : 

Pf = Pr(a,|ai)p("-') + . . . + Pr(a,|a.)Pi"-i) 

which becomes in matrix notations : 

pin) _ p(n-l)jj 

(n) 

For the class of ergodic Markov processes the probabilities Pj' of being in 
state (Tj after n emitted bits, approach (as n oo) an equilibrium Pj which 
must satisfy the system of r linear equations : 

' r 

i=i 

< 

Pj = Pi Pr(o'iki) for 1 < j < r - 1 

In the case of a source with memory M, each of the 2^ states has at most 
two successor states with non-zero probability, depending on whether a zero or 
a one is emitted. The transition probabilities are thus determined by the set of 
conditional probabilities pi = Pr(l|(Ti), 0 < z < 2^ — 1 of emitting a one from 
each state ai. The transition matrix P is thus defined by : 

( Pi ii j = 2i+ 1 mod 2^ 

Ui j = J I — Pi if j = 2z mod 2^ 

[ 0 otherwise 

The entropy of state ai is then Hi = H(pi), where H is the binary entropy 
function : 



H{x) = -X log 2 a; - (1 - a;) log 2 (l - a;) 

The source’s entropy is then the average of the entropies Hi (of states ai) 
weighted with the state-probabilities Pi : 

Hs = Y. 

i 

Let us now assume that the random source is used to generate the iV-bit key 
of a block cipher and let n{q) be the number of iV-bit keys that must be tested 
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(in decreasing probability order) in order to reach an overall success probability 
of q. Shannon proved (see 0, theorem 4) that for q 0 and g yf 1 : 



lim 
N — *'Oo 



logs Hq) 
N 



Hs 



This shows that when an ergodic stationary source is used to key a block 
cipher, the entropy Hs is closely related to the number of keys an attacker has 
to try in order to find the right key. In other words, the entropy measures the 
effective key-size of a cryptosystem keyed by the source’s output. 



2.2 Probability of a Bit Sequence 

In this section we compute the probability of emitting a bit sequence, which 
will be used in section ^3 Starting from a state distribution vector W = 
[Wi, . . Wr], the probability of emitting a bit 5 G {0, 1} is : 



Vr[h\w] = Y^w.n,,, ( 1 ) 

where the sum is taken over the couples {i, for which b is emitted during 
the transition from (Ti to cry. 

Let n{b) be the transition matrix corresponding to an emitted bit b : 



n{bkj 



Hi j if bit b is emitted from ai to cry 
0 otherwise 



It follows that H = H{0) + H{1) and equation ^ becomes : 



Pr[6|VL] = Wn{b)U where U = 



'V 

1 



By iteration, the probability of emitting the sequence b = [bo, . . . ,bn] from 
the state distribution vector W is : 



Pr[b\W] = Wn{bo)H{bi) . ..H{bn)U 

and with H{b) = n{bo)H{bi) . . .7T(6„) the probability of appearance of se- 
quence b is : 



Pr[6] = PH{b)U 
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3 Maurer’s Universal Test and the Source’s Entropy 

3.1 Maurer’s Test 

Maurer’s universal test Q takes as input three integers {L, Q, K} and a (Q+K) x 
L = TV-bit sample = [si, . . . , sat] generated by the tested source. The param- 
eter L is chosen from the interval [6, 16]. The sequence is partitioned into non- 
overlapping L-bit blocks. For 1 < n < Q + K, let bn{s^) = [sL(n-i)-i-i, ■ ■ ■ , sl„] 
denote the n-th L-bit block of . 

The first Q blocks of the sequence are used to initialize the test; Q should be 
chosen to be at least 10 x 2^ in order to have a high likelihood that each of the 
2^ blocks of L bits occurs at least once in the first Q blocks. The remaining K 
blocks are used to compute the test function IR : 

. Q+K 

fTui^^) = ^ E ^og,A4s^) (2) 

n— Q+1 

where B denotes the set {0, 1} and An(s^) the minimum distance between 
the n-th block and any similar preceding block : 






n if Vi < n,bn-i{s^) yf 5„(s^) 

min{i : i > l,6„(s'^) = bn-i{s^)} otherwise. 

(3) 



3.2 Asymptotic Entropy Relation 

As will be justified later, Maurer’s test function is closely related to the source’s 
entropy. It follows that Maurer’s universal test is able to detect any of the sta- 
tistical defects that can be modeled by an ergodic stationary source with finite 
memory. 

Let Kl be the entropy of L-bit blocks, Gl the per-bit entropy of blocks of 
L bits and U the entropy of the L-th order approximation of the source (see 
Shannon : 



Kl = - Y, Piib]log^Piib] (4) 



Fl = - E Pi'[^j1log2Prb>] (5) 

beB^-^, jeB 




1 

I 






( 6 ) 



In Q we proved the following asymptotic relation between the expectation of 
Maurer’s test function for a stationary ergodic source S outputting a sequence 
Ug of random binary variables and the entropy of L-bit blocks of S : 
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lim 
L — >•00 






= c = 




log 2 = -0.8327462 



(7) 



In the next section we improve the performance of Maurer’s test by modifying 
the test function so that its expectation yields the source’s entropy, instead of 
having an asymptotical relation. 



4 Improving Maurer’s Universal Test 

Maurer’s test function is defined as the average of the logarithm to the base two 
of the minimum distances between two similar blocks. Here we generalize the 
definition of the test parameter to any function 5 : IN — > IR of the minimum 
distance between two similar blocks : 

n—Q+1 

The mean of fx^iUg) for S is given by : 

Eif^jU^)] = ^Pr[A„(C/^) = z]g{i) 

i>l 

with 



FT[An{Us) = i] = ^ Pr[6„ = 6, 5„_i yf 6, . . . , 5„_i+i yf 5, = b] (8) 

If we assume that the L-bit blocks are statistically independent, the above 
probability factors into : 

Pr[A„(C/^) = ^] = ^ Pr[6]2 x (1 - Fr[b]y-^ 

and we get : 



where : 



ElfrAU^)] = Pr[6] X 7g(Pr[6]) 

b^B^ 



(9) 



lg{x) = xY^{l - xY ^g{i) 

Equation Q shows that the mean value of the generalized test may be inter- 
preted as the expectation of a random variable W = W(X) which hits the value 
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7g(Pr[6]) with probability Pr[6]. However, the entropy of L-bit blocks Kl (equa- 
tion Q) can be viewed as the expectation of a random variable W = W'{X) 
which takes the value — log 2 (Pr[ 6 ]) with probability Pr[6]. 

In order to determine the expectation of the test with the entropy of L-bit 
blocks, we have to solve the following equation : 

7g(a;) = -log2(a;) (10) 

Letting t = 1 — x, equation yields : 

oo ^ oo ^ 

(1 - i) E = - lo&(l - ^) = E - 
2=1 ^ 2=1 

and we get : 

5(1) = 0 

5(* + 1) - 5(j) = iT7i(2) fori>l, 

Hence we can define a modified version of Maurer’s test which test parameter 
/l^(s^) is computed using : 

, Q+K 

E 9{Au{s^)) 

n=Q+l 

and equation Q for the definition of An{s^). 

The mean value of this new test function taking as input a sequence Ug 
generated by an ergodic stationary source S is equal to the entropy of L-bit 
blocks of S : 



( 11 ) 

( 12 ) 



E[f?uiU^)] = KL (13) 



5 Distribution of the Modified Test Parameter 

To tune the test’s rejection rate, one must first know the distribution of /j^(^^), 
where denotes a sequence of N bits emitted by a binary symmetric source 
(BSS, i.e. a truly random source). A sample would then be rejected if the 
number of standard deviations separating its /j^(s^) from E[f^^{R^)] exceeds 
a reasonable constant. 

In this section we compute the mean and standard deviation of the modified 
test parameter for a BSS under the reasonable assumption that Q ^ oo (in 
practice, Q should be larger than 10 x 2^). 

From equations ^^and^J Hi® expected value E[f^^{R^)] of the test pa- 
rameter for a BSS is given by : 
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-| OO i—1 

^ i=2 k=l 

Using equation ^ we have for a BSS : 

PT[Ar,{R^) = i] = 2-^{l-2-^y-^ forz>l (15) 

and with equation : 

r,-L °° 1 

^ i=2 fc=l 

Thus the mean of the test parameter for a truly random source is simply 
equal to L, the length of the blocks in the tested sequence. Note that this result 
is straightforward considering equation since the entropy of L-bit blocks 
is equal to L for a truly random source. 

For statistically independent random variables the variance of a sum is the 
sum of variances but the A„-terms in are heavily inter-dependent; of course, 
the same holds for Maurer’s original test function Q. Consequently, Maurer 
introduced in ^ a corrective factor c(L, K) by which the standard deviation 
of Jtu is reduced compared to what it would have been if the ^„-terms were 
independent : 



w rr /dJVm fr Var[log2 

Var[/T„(i? )] = c{L,K) x — 

Similarly, we can define c^{L,K) to be the corrective factor by which the 
standard deviation of the modified test parameter is reduced compared to 
what it would have been if the yl„-terms were independent : 

Vat[/f„ (/!»)] = c«{L.Kf X 

The variance of the x4„-terms can be easily computed using equation ^3 • 



Var[5(x4„(i?^))] = U[(5(x4„(i?^))^] - (u[5(x4„(i?^))])' 

OO 2—1 . 2 



In 3 we have computed the exact value of the factor c(L, K), while only a 
heuristic estimate of c{L, K) was given in Q. 

The expression of c^{L,K) is very similar to the one of c{L,K) given in 
3 as one should simply replace the terms in the formulae containing log 2 i by : 



9{i) 



1 

log(2) 



E 



k=l 



1 

k' 
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As in 



Q, the factor {L, K) can be approximated for AT > 33 x 2^ by : 






d{L) + 



e{L) X 2^ 
K 



and Ya,r[g{An{R^))], d{L) and e{L) are listed in tablejfor 3 < L < 16 and 
L oo. 

This approximation is sufficient because the test must be performed with 
K > 1000 X 2^. 

To summarize, the distribution of {R^) can be approximated by the 
normal distribution of mean E[f^^{R^)] = L and standard deviation : 



a = c{L, K)^jYa.T[g{An{R^))]/K 



L 


Var[p(A4A-))] 


d(L) 


e(L) 


3 


2.5769918 


0.3313257 


0.4381809 


4 


2.9191004 


0.3516506 


0.4050170 


5 


3.1291382 


0.3660832 


0.3856668 


6 


3.2547450 


0.3758725 


0.3743782 


7 


3.3282150 


0.3822459 


0.3678269 


8 


3.3704039 


0.3862500 


0.3640569 


9 


3.3942629 


0.3886906 


0.3619091 


10 


3.4075860 


0.3901408 


0.3606982 


11 


3.4149476 


0.3909846 


0.3600222 


12 


3.4189794 


0.3914671 


0.3596484 


13 


3.4211711 


0.3917390 


0.3594433 


14 


3.4223549 


0.3918905 


0.3593316 


15 


3.4229908 


0.3919740 


0.3592712 


16 


3.4233308 


0.3920198 


0.3592384 


OO 


3.4237147 


0.3920729 


0.3592016 



Table 1. Var[g(A„(i?^))], d{L) and e{L) for 3 < L < 16 and L ^ oo 



A source is then rejected if and only if either < ti or /|^(s^) > t 2 

where the thresholds ti and t 2 are defined by : 

ti = L — ya and t 2 = L + ya, 

where y is the number of standard deviations a from the mean allowed for 
/^(s'^). The parameter y must be chosen such that J\f{—y) = p/2, where p 
is the rejection rate expressing the probability that a sequence emitted by a 
truly random source will be rejected. Af{x) is the integral of the normal density 
function : 

Af{x) = ( e~^ 
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I recommends to choose the parameters L between 6 and 16,Q~10x2^ 
and K ~ 1000 x 2^, and to take a rejection rate p ~ 0.01, . . .,0.001, obtained 
by setting y = 2.58 or y = 3.30 respectively. We suggest to keep these bounds 
for the new test. 

6 A Sample Program 

As pointed out in the test can be implemented efficiently by using a table 
tab of size V = 2^ that stores for each L-bit block the time index of its most 
recent occurrence. At step n the program gets the L-bit block from the 

random source, computes the minimum distance <— n — tab[6„(s'^)], 

adds g{An{s^)) to an accumulator and updates the most recent occurrence 
table with tab[6„(s'^)] <— n. 

To improve efficiency, the coefficients computed by the function g(i) are ap- 
proximated for large i using ^3. For i > 23 the error is smaller than 10“®. 

^i = logn + 7 + T__^ + 0(^) (16) 

i—1 

where 7 is Euler’s constant : 

poo 

7 = — / e~^ log a; dx ~ 0.577216 

Jo 

The sample program calls the function fsource(L) which returns an L-bit 
integer produced by the random source. 

double fcoefCint i) 

{ 

double l=log(2) ,s=0,C=-0. 8327462; 
int k, j=i-l , limit=23 ; 
if (Klimit) { 

f or (k=l ;k<i ;k++) { s=s+l./k; } 
return s/1; 

} 

return log( j ) /1-C+(1 . / (2*j)-l./ (12.*j*j))/l; 

} 

double NewUniversalTest (int L,int Q, int K) 

{ 

int V=(l << L),i,n,k; 
int *tab=new int [V] ; 
double sum=0 ; 



f or (i=0 ; i<V; i++) { 
tab [i] =0 ; 
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} 

for(n=l;n<=Q;n++) { 

tab [f source (L)] =n; 

} 

f or (n=Q+l ;n<=(Q+K) ;n++) { 
k=f source (L) ; 
sum=sum+f coef (n-tab [k] ) ; 
tab [k] =n; 

} 

delete tab; 
return sum/K; 

} 

7 A Comparative Analysis of the Two Tests 

In section ^ we assumed the block sequences of length L to be statistically 
independent, i.e. that the probability of appearance of a block does not depend 
on the preceding ones. But this assumption is valid only if the tested source is a 
binary memoryless source BMSp (random binary source which emits ones with 
probability p and zeroes with probability 1 — p). In section compare the 

performance of Maurer’s test and the modified test for a BMSp. 

In the general case of a source with finite (non-zero) memory, the blocks are 
not statistically independent and the expectation of the modified test function 
is not equal to the source’s entropy of L-bit blocks. However, if the statistics 
of the tested random source differ from the statistics of a truly random source, 
the tested source will be rejected with high probability. Only random sources 
with small statistical bias will pass the test. As shown in section this small 
bias will still make the difference between the expectation of the modified test 
function and the source’s entropy negligible. 



7.1 Comparison with Respect to a BMSp. 

In this section we compute the expectation of Maurer’s test function for a BMSp 
and compare it with the expectation of the modified test function and with the 
actual source’s entropy. The expectation of Maurer’s test function for a BMSp 
with output sequence is given by : 

OO 

^[/T(/(t^BMSp)] = y^Pr[A„(I/-ffy|g^) = i] log2(z) 
while equation Q and : 

(where w{b) denotes the Hamming weight of 5 G {0, 1}^) yield : 
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E|/t„(C'i?MS,)1 = E (t)p‘(i (17) 

where 



OO 

a{x) = a; ^(1 - log2 i 

i=l 



One can show that : 



lim [of(a;) + logo a:] = ~r~^ = ^ ( 18 ) 

where 7 is Euler’s constant. 

From equations ^Jand^] we recover the result given in Q : 

Note that this result is straightforward using equation ^ as Kl = Lx H{p) 
for a BMSp. 

In the case of a BMSp the assumption of statistical independence between 
the blocks in sectionals valid and thus equation leads to : 

^[/Tv(l^KdSp)] = L X H(p) (19) 

Equation ^3 shows that the modified test is more accurate than the orig- 
inal one, as it measures the entropy of a BMSp whereas the relation is only 
asymptotical in the original one. This is illustrated in tablefl which summarizes 
the expectation of Maurer’s test function, the expectation of the modified test 
function, and the entropy of a BMSp, for L = 4, L = 8, L = 16 and several 
values of p. 

7.2 Comparison in the General Case. 

The mean of the modified test for an ergodic stationary source S is given by : 

E\i?„(uS)]= E EPi['>(-i>)‘-'i>iEti^ 

b^BE i>2 k=l ’ 

where Pr[6(^6)®“^6] denotes Pr[6„ = 6, 5„_i 5, . . . , bn-i+i ^ b, 5„_j = b]. 

Using the fact that Pr[5(^5)®] = Pr[6(^5)®5] -|- Pr[6(^5)®+^], we get : 

Ei/S,(t'?)i= EEPi[o(-i>)i-i3^ 

beBE i>i ’ 

From section ^3 we obtain the expectation of the modified function in the 
general case of an ergodic stationary source S with finite memory : 
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L 


P 






L X H(p) 


4 


0.5 


4.14397 


4.00000 


4.00000 


4 


0.4 


4.04187 


3.88380 


3.88380 


4 


0.3 


3.73034 


3.52516 


3.52516 


8 


0.5 


8.01641 


8.00000 


8.00000 


8 


0.4 


7.78833 


7.76760 


7.76760 


8 


0.3 


7.08957 


7.05033 


7.05033 


16 


0.5 


16.00012 


16.00000 


16.00000 


16 


0.4 


15.53542 


15.53521 


15.53521 


16 


0.3 


14.10161 


14.10065 


14.10065 



Table 2. Comparison between the expectation of Maurer’s test ^[/tu 

the expectation of the modified test if [/j^ (^BMS T-bit block entropy 

of a BMSp. 



E[f?jug)]= Y1 '£pn(b){n‘^-n(b))‘u-^ 

fce{o,i}^ i>i ’ 

where U is the transition matrix of S and 11(b) the transition matrix asso- 
ciated to sequence b as defined in section 

TableHgives E[f^^(Ug)] for an STPp, a random binary source for which a 
bit is followed by its complement with probability p. An STPp is thus a source 
with one bit of memory and two equally-probable states. It follows^JandHl that 
Fi = H(l/2) = 1, Hs = H(p), and Kl = l + (L — l)H(p). Table|rompares the 
mean of Maurer’s function, the mean of the modified function and the entropy 
of L-bit block of an STPp for L = 4 and L = 8 and various values of p. As 
expected, the new test is closer to the source’s entropy than the original one. 

Moreover, the difference between the expectation of the modified test function 
and the source’s entropy becomes negligible when p is close to 0.5. This is due to 
the fact that the L-bit blocks become statistically independent as the source’s 
bias disappears. Extensive experiments performed with random sources with 
memory bigger than one all led the same result. 

8 Conclusion and Further Research 

We have introduced a modification in Maurer’s universal test that improves its 
performance. The modification is very simple to implement (a few lines of code) 
and does not increase the computation time. The new test is more closely related 
to the source’s entropy and therefore enables a more accurate detection of the 
possible defects in the tested source. 

We have not found an analytic expression of the modified test’s variance, 
although the expectation for a truly random source is simply equal to the block 
length. In addition, an interesting generalization would consist of extending the 
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L 


P 




^lfTu(U§rj.p^)] 


(L - l)H{p) + 1 


T 


0.5 


4.14397 


4.00000 


4.00000 


4 


0.49 


4.14321 


3.99914 


3.99913 


4 


0.45 


4.12488 


3.97831 


3.97832 


4 


0.4 


4.06677 


3.91196 


3.91285 


4 


0.3 


3.82175 


3.62743 


3.64387 


8 


0.5 


8.01641 


8.00000 


8.00000 


8 


0.49 


8.01443 


7.99798 


7.99798 


8 


0.45 


7.96671 


7.94942 


7.94942 


8 


0.4 


7.81679 


7.79665 


7.79665 


8 


0.3 


7.20403 


7.16848 


7.16904 



Table 3. Numerical comparison between the expected value of Maurer’s original 
test E[fTu{Ugrj.p ], the expected value of the modified test 
the L-bit block entropy of an STPp. 



exact correspondence between the modified test function and the source’s en- 
tropy to the general class of stationary ergodic random sources with finite (non 
necessarily zero) memory. 
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Abstract. Thwarting unlawful redistribution of information sold elec- 
tronically is a major problem of information-based electronic commerce. 
Anonymous fingerprinting has appeared as a technique for copyright pro- 
tection which is compatible with buyer anonymity in electronic transac- 
tions. However, the complexity of known algorithms for anonymous fin- 
gerprinting deters their practical implementation, since they rely either 
on secure multiparty computation or on general zero-knowledge proofs. 
A scheme for anonymous fingerprinting based on committed oblivious 
transfer is presented in this paper where all computations can be per- 
formed efficiently. 

Keywords: Secure electronic commerce. Intellectual property protec- 
tion, Anonymous fingerprinting, Committed oblivious transfer. 



1 Introduction 



In information-based electronic commerce, copyright protection of the informa- 
tion being sold is a key problem to be solved, together with secure payment. 
Fingerprinting is a technique which allows to track redistributors of electronic 
information. Given an original item of information, an Tuple of marks is prob- 
abilistically selected. A mark is a piece of the information item of which two 
slightly different versions exist. At the moment of selling a copy of the item, the 
merchant selects one of the two versions for each mark; in other words, she hides 
an /-bit word in the information, where the i-th bit indicates which version of 
the data is being used for the z-th mark. Usually, it is assumed that two or more 
dishonest buyers can only locate and delete marks by comparing their copies 
(Marking Assumption, 

Classical fingerprinting schemes are symmetrical in the sense 

that both the merchant and the buyer know the fingerprinted copy. Even if the 
merchant succeeds in identifying a dishonest buyer, her previous knowledge of 
the fingerprinted copies prevents her from using them as a proof of redistribu- 
tion in front of third parties. In asymmetric fingerprinting was proposed. 
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whereby only the buyer knows the fingerprinted copy; the drawback of this solu- 
tion is that the merchant knows the buyer’s identity even if the buyer is honest. 
Later the concept of anonymous fingerprinting was introduced; the 

idea is that the merchant does not know the fingerprinted copy nor the buyer’s 
identity. Upon finding a fingerprinted copy, the merchant needs the help of a 
registration authority to identify a redistributor. In a scheme for 

anonymous fingerprinting is presented where redistributors can be identified by 
the merchant without help from the authority. The problem with the construc- 
tions is that, being based on secure multiparty computation 

their complexity is much too high to be implementable in prac- 
an anonymous fingerprinting algorithm is proposed which 
avoids secure multi-party computation and is based on Rabin’s one-out-of-two 
oblivious transfer; however, this approach also relies on a (unspecified) general 
zero-knowledge proof whereby the buyer Bob shows to the merchant Mary that 
a hash value was correctly computed by the buyer. 




tice. 



1.1 Our Result 

We present in this paper a scheme for anonymous fingerprinting which is effi- 
ciently and completely specified from a computational point of view. The basic 
primitive used is committed oblivious transfer (see 

Section H contains some background on committed oblivious transfer. Sec- 
tiorflclescribes the new construction. Sectiorflcontains a complexity evaluation. 
Section His a security analysis. Section J is a conclusion. 



2 Background 

In Subsection bit commitment with XOR is recalled. This special kind of 
bit commitment has been shown to be useful for efficient implementation of 
committed oblivious transfer, which is a concept reviewed in Subsection 

2.1 Bit Commitment with XOR 

In a bit commitment (bc), Mary sends a committed bit to Bob in such a way 
that she is able to reveal it later in a unique way (a) but Bob is not able to find 
the value a by himself. Mary cannot change her mind and open as d. 

In bit commitment with XOR was introduced. If a special kind of bit 

commitments (bcx) is used, then it is possible to prove that some commitments 
satisfy an XOR-relation, without giving away any other information about the 
contents of the commitments. In particular, it is possible to prove that two BCXs 
|~^ and are equal simply by proving 0 = 0; the verifier learns nothing 

about the bits contained in the commitments, except that they are equal or 
different. 

Call BCX operations the following: creation of a BCX, opening of a BCX and 
proof that a constant number of BCXs satisfy a given linear relation. Then, if 
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m is the security parameter, it is argued in that each BCX operation 

can be implemented using 0(rn) BC operations, where BC denotes plain bit 
commitment. Unless otherwise specified, all commitments mentioned in the rest 
of this paper are BCX commitments. 



2.2 Committed Oblivious Transfer 



Oblivious transfer was originally invented by Rabin Mary has one 

secret; the protocol allows Bob to learn the secret with probability 1/2; whatever 
they do, Mary and Bob cannot modify the probability of Bob learning the secret; 
moreover, Mary cannot infer from the protocol whether Bob learned the secret 
or not. A slight variation of the above yields Rabin’s one-out-of-two oblivious 
transfer, whereby Mary has two secrets and the protocol allows Bob to learn one 
of them; the probability of Bob learning either secret is 1/2; whatever they do, 
Mary and Bob cannot modify that probability; moreover, Mary cannot infer from 
the protocol which was the secret learned by Bob. A provably secure protocol 
for implementing Rabin’s oblivious transfers can be found in 

In a one-out-of-two oblivious transfer (ot). Bob has to choose between learn- 
ing bit oq or oi prepared by Mary but she does not learn his choice b. If m is 
the security parameter, it is well known that OT can be constructed 

using 0{m) of Rabin’s oblivious transfers. 

Now let us turn to committed oblivious transfer (got). Suppose that Mary 
is committed to bits | op | , | oi | and Bob is committed to bit After running 

COt( | oq | , I oi | )([~^) Bob knows ab and is committed to | ab | . Mary, whatever she 
does, cannot use the protocol to learn information on b and Bob, whatever he 
does, cannot use the protocol to learn information on a^. 

COT was introduced in under the label “Verifiable Oblivious Trans- 
fer”; unfortunately, that nrstpr^ocol used O(m^) OTs. In a more 

efficient protocol for COT was presented as “Preprocess-Oblivious- Transfer” . In 
the best case, such a proposal requires O(m^) OTs. In a protocol for 

COT was proposed that used 0{m) OTs and 0{m) BCX operations (the latter 
can be replaced by O(m^) BC operations). 



3 Anonymous Fingerprinting Based on Committed 
Oblivious Transfer 

In this section, a fingerprinting scheme is presented which provides anonym- 
ity and has the advantage of being efficient and completely specified from a 
computational point of view. This was not the case for previous asymmetric and 
anonymous fingerprinting schemes. 



3.1 Merchandise Initialization 

Let the information item to be fingerprinted be n bits long. For z = 1 to n, 
the merchant Mary creates two versions item^ and item} of the z-th bit itemi. 
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Both versions differ only for bit positions containing one mark (in the sense of 
Section 

Now, for z = 1 to n, Mary commits, using BCXs, to item^ and to item} to 
get item^ and item} 



. The 2n BCXs are stored by Mary for later use. 



Mary sends to the registration authority Ron a signed and time-stamped 
message containing a short description of item (but not the full item) as well as 
a list of the I < n bit positions in item containing a mark. 



Note 1. The only reason to use BCXs for item} and item} instead of plain BCs 
is that 



item} 



and 



item) 



are used as inputs to a COT in the fingerprinting 



protocol of Subsection^3 As mentioned above and justified in using 

BCXS allows an efficient construction for COT (the XOR property is used only 
inside the COT construction). 



3.2 Buyer Registration 

Let p be a large prime such that q= (p — l)/2 is also prime. Let G be a group of 
order p, and let p be a generator of G such that computing discrete logarithms 
to the base g is difficult. Assume that both the buyer Bob and the registration 
authority Ron have ElGamal-like public-key pairs Bob’s secret key 

is Xb and his public key is ys = The registration authority Ron uses his 
secret key to issue certificates which can be verified using Ron’s public key. The 
public keys of Ron and all buyers are assumed to be known and certified. 

Protocol 1 



1. Ron chooses a random nonce Xr € Zp and sends yr = to B. 

2. Boh chooses secret random si and S2 in Zp such that si + S2 = Xb (mod p) 

and sends Si = y}} and S 2 = yp‘ to Ron. Bob convinces Ron in zero- 

knowledge of possession of si and S 2 - The proof given in for 

showing possession of discrete logarithms may be used here. The buyer Bob 
computes an ElGamal public key y\ = (mod p) and sends it to Ron. 

3. Ron checks that S 1 S 2 = y^ and y}’' = Si. Ron returns to Bob a certificate 

Gert{yi). The certificate states the correctness ofyi. 

By going through the registration procedure above several times, Bob can 
obtain several different certified keys pi . 

Note 2. If Bob is represented by his smart card, then the private key Xb is the 
smart card’s private key, which is recorded in PROM by the card manufacturer 
or issuer. Having Bob represented by a tamper-proof smart card has several 
advantages, as will be discussed in NotesHO^'^^O^elow. 
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3.3 Fingerprinting 

If we denote by item* the fingerprinted copy of the original information item 
being sold, the fingerprinting protocol can be specified as follows: 

Protocol 2 



item. 



(0) 



item. 



( 1 ) 



)( bi ), where bi is 



1. For i = 1 to n, the merchant Mary shuffles the pairs {item'^, item}) to obtain 
{item!f\item!'p). Mary records the result of the shuffling in the purchase 
record. 

2. For i = 1 to n, Mary and Bob run COt( 
a bit value chosen by Bob and bi is a BCX. In this way, Bob obtains item* 
and returns to Mary a signed commitment item* on it. This commitment 
is signed using the private key si corresponding to the public key y\ registered 
in ProtocolU 



Note 3 (Collusion-resistance). The information embedded in the fingerprinted 
copy is formed by bits bi, for which itemf) item] . Assume that there are I such 
bits bi, with I < n. li Bob takes part in the fingerprinting process through a 
tamper-proof device such as a smart card, then assumptions about the structure 
of the embedded information can be made. A possibility is for Mary to provide 
Bob’s card with information on which are the I bit positions containing a mark; 
such information should be encrypted under the card’s pseudonymous public 
key yi . Then the card could be programmed to choose the I embedded bits as a 
random codeword of a c-secure code which would provide protection 

against buyer collusions. Bob should not learn the codeword chosen by his card. 
It is worth mentioning that this way of using smart cards to counter buyer 
collusion also applies to the scheme described in if OTS or COTs are 

used in that scheme instead of Rabin’s oblivious transfers {i.e. if the buyer’s card 
is allowed to input its choice to oblivious transfers). 



Note 4- A second advantage of Bob taking part in the fingerprinting process 
through a tamper-proof smart card is that StepHof Protocol Bis not needed. 
However, if the choice of bi is known and controlled by Bob personally (instead 
of a smart card), shuffling is necessary because otherwise Bob could go twice 
through the fingerprinting protocol (perhaps under different pseudonyms), first 
with bi = 0 and then with bi = 1, which with probability 1 would allow him to 
discover whether itemi contains a mark, i.e. whether item') item]. This would 
be against the marking assumption stated in Section B 



3.4 Identification 



Following it only makes sense to try to identify a redistributor if the 

redistributed copy is not too different from the original item: 
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Definition 1. Let sim he an arbitrary relation where sim{iterrf‘^‘^ , item) means 
that a redistributed illegal copy item^‘^‘^ is still so close to item that the merchant 
Mary wants to identify the original buyer. 

If sim{item^‘^‘^ , item) holds, then it is reasonable to assume that item^^‘^ 
contains a substantial number of bits which are (perhaps modified) copies of 
item \ , • • • , item‘s , for some fingerprinted version item* of item. 

Protocol 3 



1. Upon detecting a redistributed itemL^'^ , Mary determines whether 

sim{item ^‘^'^ , item) 



holds for some information item on sale. If not, Mary quits the protocol. 

2. Mary looks in her purchase record for all entries corresponding to sales of 
item. Each entry contains the buyer-signed BCX hit commitments for the 



fingerprinted copy item\ 



item* 



3. Mary sends a signed and time-stamped copy of iteml^^'^ to the authority Ron 
and all (pseudonymous) buyers hauing bought a copy of item. Requiring Mary 
to give away item^^'^ for free to the suspect buyers is meant to thwart her 
from systematically and unjustly accusing all buyers of false redistributions. 
In other words, item^^'^ represents no gift only for those buyers having pur- 
chased something similar to item^^‘^. 

j. Take all suspect pseudonymous buyers in turn and do the following until a 
redistributor is found or all buyers have been examined: 

(a) Using a coin-flipping protocol, Mary and the pseudonymous buyer agree 
on l\ < I < n hit positions. If the resulting positions contain less than 
I 2 if W marks, then Mary requests the buyer to start again the coin 
flipping protocol to agree on a new set of positions. The procedure is 
repeated until the resulting positions contain I 3 marks, with h f I 3 f h- 

(b) The pseudonymous buyer opens his BCX bit commitments corresponding 
to the h agreed bit positions. 

(c) If all I 3 opened commitments agree with the corresponding bit values in 
item^^^^ , then Mary takes this as a proof of redistribution (see Note^^ 
below). Otherwise the suspect pseudonymous buyer is declared innocent 
and will be given by Mary a new fingerprinted copy (this is necessary 
because the buyer has been forced to reveal I 3 out of the I commitments 
in his fingerprinted copy; an honest buyer who is declared suspect several 
times might end up with virtually all his commitments opened). 

5. Mary presents the opened signed commitments to the authority Ron asking 
for identification of the dishonest buyer. The opened commitments constitute 
a proof of redistribution, together with the signed iteml^'^ sent to Ron at 
Step^^and the list of mark positions in item sent to Ron during merchandise 
initialization. 
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Note 5. If Ron refuses to collaborate in Protocol his role can be performed 
by an arbiter except buyer identification and mark recognition. Replace “iden- 
tify buyer” by “declare Ron guilty” . If a suspect pseudonymous buyer refuses to 
collaborate, then the transcript of the protocol is sent to Ron, asking for iden- 
tification. If the parameter I 2 is tuned properly, the risk of unjustly accusing a 
buyer is sufficiently low not to deter suspect buyers from proving their innocence 
(see Section 5 . 



Note 6. A third advantage of having buyers use tamper-proof smart cards during 
fingerprinting is that the embedded information (i.e. the set of marks) can be 
assumed to be a codeword of an error-correcting code with minimal distance 
d > 1. In this case, finding ^3 — d-|- I matches in Substep^Jof ProtocolHsufhces 
to declare a buyer guilty. 



4 Complexity Analysis 

The complexity of the construction of Section His next assessed. 

Merchandise initialization involves a digital signature and 2n BCX commit- 
ments, where n is the bitlength of the information item to be fingerprinted. 
If m is the security parameter, each BCX commitment requires 0{m) plain bit 
commitments BC, as mentioned in Subsection ^3 Thus merchandise initializa- 
tion requires 0{nm) BCs. However, notice that merchandise initialization is an 
off-line procedure that is only run once for each information item on sale. 

The buyer registration protocol requires five exponentiations and a zero- 
knowledge proof for showing possession of discrete logarithms (an efficient pro- 
tocol for such a proof can be found in ) . 

The fingerprinting protocol basically involves n committed oblivious trans- 
fers and n signatures (on the commitments resulting from the COTs). From 
Section the n COTs are equivalent to 0{nm) plain oblivious transfers OT 
and 0{nm?') plain bit commitments BC. 

The identification protocol requires opening 0{n) BCX commitments. This 
is equivalent to opening 0{nm) plain BCs. In addition, one instance of the fin- 
gerprinting protocol should be run for each suspect buyer who cannot be found 
guilty. 



Note 7. Previously proposed anonymous fingerprinting protocols rely on com- 
putationally unspecified black boxes: secure multiparty computation in the case of 
and or a generic zero- knowledge proof in the case of 

Therefore, implementation of such protocols is far from obvious. The construc- 
tion in this paper does not suffer from this problem, because it is based on 
well-known primitives. 
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5 Security Analysis 

We analyze in this section the security of the construction of Section J 

Proposition 1 (Registration security). Protocol^provides buyer authenti- 
cation without compromising the private key xb of the buyer. 

Proof. In registration, the authority Ron sees Si, S2, yi and a zero-knowledge 
proof. The latter leaks no information. Without considering the zero-knowledge 
proof, Ron needs no knowledge of to find values S[, S'2 and which are 
related in the same way as ^i, S2 and y\. Take a random s(, then compute 

y'l = 5 ®^ and S[ = y^P . Finally, S'^ = Vb" /S[. 

Now consider the zero-knowledge proofs; imagine that an impersonator not 
knowing xb can compute Si, S2 such that he/she can demonstrate possession 
of logj^^ 5 i and log^^ S'2 and S1S2 = yf^ holds. Then the impersonator can 
compute the discrete logarithm xb. In general, if impersonation is feasible, so is 
computing discrete logarithms, o 

Proposition 2 (Buyer anonymity). Let I2 be the minimal number of marks 
to be opened by a suspect buyer in the identification protocol. Then the probability 
that the merchant identifies an honest buyer who correctly followed Protocol^is 
upper-bounded by 2 “^^. 

Proof. In the fingerprinting protocol, Mary sees a pseudonym yi , which is related 
to yB by the equation yi'^ S2 = y^ . Even knowledge of logg yr = Xr would not 
suffice to uniquely determine yB from yi, since S2 is unknown to Mary. 

Thus Mary must rely on Protocol Q to unduly identify an honest buyer. 
Suspect but honest buyers are not especially vulnerable since they are given a 
new fingerprinted copy if they cannot be proven guilty. So the only strategy is for 
Mary to fabricate an iterrp^'^ with the hope that the l^ > I2 bit positions agreed 
upon by coin-flipping will contain the same values than the I3 commitments 
opened by the buyer. Since the n COTs performed by Mary and the buyer during 
fingerprinting do not allow Mary to learn anything about the buyer’s choices bi 
^), the probability of unlawful identification is 2“b < o 
Merchant security depends on the marks being preserved. The next propo- 
sition shows that, for a non-colluding redistributor to remain undetected, the 
fingerprinted copy must be modified substantially and randomly. 

Proposition 3 (Merchant security). In order to remain undiscovered after 
the identification protocol, a non-colluding redistributor must modify on average 
n/l2 randomly chosen bits of the fingerprinted copy. This number can be made 
large by choosing I2 n. 

Proof. Since the redistributor does not know where the marks are, his only 
possibility is random search. The probability that modification of one bit of the 
fingerprinted copy results in modification of one of the I2 marks opened during 
the identification protocol is 12/n. Thus, to ensure modification of one mark, n/l2 
randomly chosen bits of the fingerprinted copy must be modified on average, o 
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Collusion is another strategy for buyers to delete marks. In Note^ the use 
of tamper-proof smart cards was sketched as a way to obtain collusion-secure 
fingerprinting. If no smart cards are used, then we can only state the following: 

Proposition 4. The expected percent of marks that can be deleted by a collusion 
of c buyers is 100(1 — 1/2'=“^). 

Proof. By the marking assumption, if the i-th bit position of item contains a 
mark, c colluding buyers can locate (and delete) this mark if and only if they 
can pool two bit versions item^ and item] such that item^ yf item]. Thanks 
to the shuffling step in Protocol H buyers cannot control which version of the 
i-th bit is delivered to them. Thus, the probability that all c buyers were given 
the same version is 1/2'^“^. Therefore, the probability that they can pool both 
versions is 1 — 1/2'^“^. o 

Merchant security also depends on the kind of similarity relation sim used 
(see Subsection^H . If sim is very loose, this means that Mary wishes to identify 
the original buyer of any redistributed item that vaguely resembles an item on 
sale; of course, identification may often fail in such cases (the authority Ron is 
likely to deny identification) . 

6 Conclusion and Future Directions 

To our best knowledge, we have presented the first construction for anonymous 
fingerprinting which is completely specified from a computational point of view 
and is thus readily implementable. Unlike previous proposals, the proposed con- 
struction relies only on computationally well-defined primitives. By properly 
tuning its security parameters, good buyer and merchant protection can be at- 
tained. In addition, if combined with smart cards for fingerprinting on the buyer’s 
side, the construction also provides protection against collusions. 

Future research should be directed to: 

— Implementing all buyer functionality on a smart card. This may require 
further efficiency improvements. 

— Speeding up the whole process. A possible way to speed up the fingerprinting 

protocol is to modify the protocol for COT proposed in so that what 

is transferred is not a single bit but an r-bit string. In the protocol described 
in a privacy amplification function h : {0, 1}"* ^ {0, 1} is used; 

to achieve the desired speed-up, one could replace h with another privacy 
amplification function ft,': {0,1}"*— >{0,1}’'. 
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Abstract. This paper presents a simple and efficient conversion from a 
semantically secure public-key encryption scheme against passive adver- 
saries to a non-malleable (or semantically secure) public-key encryption 
scheme against adaptive chosen- ciphertext attacks {active adversaries) in 
the random oracle model. Since our conversion requires only one random 
(hash) function operation, the converted scheme is almost as efficient as 
the original one, when the random function is replaced by a practical hash 
function such as SHA-1 and MD5. We also give a concrete analysis of the 
reduction for proving its security, and show that our security reduction 
is (almost) optimally efficient. Finally this paper gives some practical 
examples of applying this conversion to some practical and semantically 
secure encryption schemes such as the ElGamal, Blum-Goldwasser and 
Okamoto-Uchiyama schemes 



1 Introduction 

1.1 Background 

One of the most important topics in cryptography is to propose a practical and 
provably secure public-key encryption scheme. The strongest security notion 
in the public-key encryption is that of non-malleability or semantical security 
against adaptive chosen-ciphertext attacks. In Bellare, Desai, Pointcheval 
and Rogaway show that semantical security against adaptive chosen-ciphertext 
attacks (IND-CCA2) is equivalent to (or sufficient for) the strongest security 
notion (NM-CCA2). 

A promising way to construct a practical public-key encryption scheme se- 
mantically secure against adaptive chosen-ciphertext attacks (IND-CCA2) is to 
convert from a primitive trap-door one-way function (such as RSA or ElGamal) 
by using random functions. Here, an ideally random function, the “random ora- 
cle” , is assumed when proving the security, and the random function is replaced 
by a practical random-like function such as a one-way hash function (e.g., SHA- 
1 and MD5, etc.) when realizing it in practice. This approach was initiated by 
Bellare and Rogaway, and is called the random oracle model 

Although security in the random oracle model cannot be guaranteed formally 
when a practical random-like function is used in place of the random oracle, this 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 53-^| 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 



54 



E. Fujisaki, T. Okamoto 



paradigm often yields much more efficient schemes than those in the standard 
model and gives an informal security guarantee of the schemes. 

Two typical primitives of the trap-door one-way function are RSA and ElGa- 
mal. The RSA function is a trap-door one-way permutation, and the ElGamal 
function is a probabilistic trap-door one-way function. 

Bellare and Rogaway presented a generic and efficient way to convert a trap- 
door one-way permutation to an IND-GGA2 secure scheme in the random oracle 
model (The scheme created in this way from the RSA function is called OAEP). 

However, their method cannot be applied to a probabilistic trap-door one-way 
function such as ElGamal. Therefore, a new measure to convert a probabilistic 
trap-door one-way function to an IND-GGA2 secure scheme (in the random 
oracle model) should be very valuable. 

This paper will present such a generic and efficient measure. It converts a 
probabilistic trap-door one-way function to an IND-GGA2 secure scheme in the 
random oracle model provided that the trap-door one-way function is semanti- 
cally secure (IND-GPA). 

Since our conversion requires only one random (hash) function operation, 
the converted scheme is almost as efficient as the original scheme, when the ran- 
dom function is replaced by a practical hash function such as SHA-1 and MD5. 
Therefore, we can construct practical IND-GGA2 secure schemes (in the random 
oracle model) based on several practical IND-GPA secure schemes (under some 
reasonable assumptions) such as the (elliptic curve) ElGamal, Blum-Goldwasser 
and Okamoto-Uchiyama schemes 



D 



We begin by examining the notions of public-key encryption security. 



1.2 Classification of Encryption Scheme Security 

We can define the security levels of public-key encryption schemes, using the 
pairs of goals and adversary models (We saw this classification first in the paper 
of Q, which stated that the viewpoint was suggested to the authors by Naor). 

The goals are one-wayness (OW), indistinguishability (IND) H,and non- 
malleability (NM) B of encryption. One-wayness (OW) is defined by the adver- 
sary’s inability, given a challenge ciphertext y, to decrypt y and get the whole 
plaintext x. Indistinguishability (IND) is defined by the adversary’s inability, 
given a challenge ciphertext y, to learn any information about the plaintext 
X. Non-malleability (NM) is defined by the adversary’s inability, given a chal- 
lenge ciphertext y, to get a different ciphertext y' such that the corresponding 
plaintexts, x and x' , are meaningfully related. Here a meaningful relation is, for 
instance, x = x’ + 1. 

The three adversary models are called chosen plaintext attack model (GPA), 
non-adaptive chosen-ciphertext attack model (GGAl), and adaptive chosen ci- 
phertext attack model (GGA2). In GPA, the adversary is given only the public 
key. Of course, she can get the ciphertext of any plaintext chosen by her. Glearly, 
in public-key encryption schemes, this attack cannot be avoided. In GGAI, in 
addition to the public key, the adversary can access to the decryption oracle 
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although she is only allowed to access to the oracle before given a challenge ci- 
phertext. In CCA2, the adversary can access to the decryption oracle anytime 
(before or after given a challenge ciphertext). She is only prohibited from asking 
for the decryption of the challenge ciphertext itself. 

Furthermore, we separate public-key encryption schemes into the random 
oracle (RO) model or the standard model. In the random oracle model, every 
adversary, independent of the adversary models, can be allowed to access to the 
random oracle anytime. 

We say, for the security of public-key encryption scheme 7T, that U is secure in 
the sense of GOAL-ATK in the RO (or standard) model, where GOAL = {OW, 
IND, NM} and ATK = {GPA, GGA1,GGA2}. Here one can think of pairs of goals 
and attacks; OW-GPA, . . ., OW-GGA2, IND-GPA, . . ., NM-GGA2. According 
to y, the relations among each notion of security are as follows: | 



NM-GPA < — 


NM-GGAI 


< — NM-GGA2 

X- 


i XX 


i 


it 


IND-GPA < — 


IND-GGAI 


< — IND-GGA2 


i 


i 


i 


OW-GPA < — 


OW-GGAI 


< — OW-GGA2 



Here, for A, B S GOAL-ATK “A — > B” (say, A implies B) denotes that encryption 
scheme U := (IC,£,'D) being secure in the sense of A is also secure in the sense 
of B, while “A B” (say, A doesn’t imply B) denotes U being secure in the 
sense of A is not always secure in the sense of B. 

We will provide precise definitions of these notations in SecH (Due to the 
space limitation, one-wayness is not discussed). 



1.3 Our Results 

This paper shows a simple and efficient conversion from an IND-GPA secure 
public-key encryption scheme to an NM-GGA2 (or IND-GGA2) secure public- 
key encryption scheme in the random oracle model. 

Suppose 7T := (/C, £, H) is an IND-GPA secure public- key encryption scheme 
and £pk{X,R) is encryption function in it, where pk is a public- key, A is a 
message with k + ko bits and i? is a random string with I bits. The conversion is 

£pk(x,r) := £pk{x\\r,H{x\\r)), (1) 

where iL is a random function of {0, — > {0, 1}^, a; is a message of the 

converted public- key encryption scheme 7T := (A,f, 25), r is a random string 
with ko bits, and 1 1 denotes concatenation. 



^ Although one-wayness is not described in the relations among OW and other 
goals in the diagram are clear. 
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Main Theorem (Theorem^ 

Suppose that 7T(l^+^“) is the original IND-CPA secure scheme and II is the 
converted scheme. If there exists a {t,qH,qD,() -breaker A for in the sense 

of IND-CCA2 in the random oracle model, then there exist constants, c and 
{t',0,0, e') -breaker A! for where 

t' = t qn • {T£{k) c ■ k), and 

e' = {e-qH ■ (1 

Here, ft, qn, qn, -breaker A, informally, means that A stops within t steps, 
succeeds with probability > e, makes at most qn queries to random oracle H , and 
makes at most qx> queries to decryption oracle T>sk (see Sec.^^for the formal 
definition). Ts{k) denotes the computational time of the encryption algorithm 
£pk{‘), and cq and ci depend on details of the underlying model of computation. 

This theorem implies that if the original scheme H is IND-CPA secure, the 
converted scheme II is IND-CCA2 secure (and NM-CCA2 secure as well) in the 
random oracle model, provided that k, fco and I are in proportion to system size. 



1.4 Merits and Related Works 

As mentioned above, Bellare-Rogaway conversion Q is a generic scheme to be 
applied to trap-door one-way permutations (such as RSA) while our conversion 
is a generic one to be applied to probabilistic trap-door one-way functions (such 
as ElGamal) . 

Since our conversion starts from an IND-CPA secure scheme, which is more 
secure than Bellare-Rogaway conversion does, our conversion is simpler and more 
efficient than theirs, i.e., our conversion requires only one random function opera- 
tion, while Bellare-Rogaway conversion requires two random function operations. 
In addition, the security reduction of our conversion is more efficient (tight) than 
that of Bellare-Rogaway’s, since we need no additional reduction for semantical 
security. 

Recently, Cramer and Shoup presented a new public-key encryption scheme 
based on the ElGamal, which is the first practical IND-CCA2 secure scheme 
in the standard model Q. Compared with theirs, our converted version of the 
ElGamal scheme has a disadvantage in terms of the assumptions (ours in the 
random oracle model and under the decision Difhe-Hellman assumption, while 
the Cramer-Shoup scheme under the universal one-way hash assumption and 
the decision Difhe-Hellman assumption), but ours still has better efficiency, at 
least twice that of theirs. In addition, since our approach is generic, unlike the 
Cramer-Shoup scheme, it can be adopted by other IND-CPA secure schemes 
such as Blum-Goldwasser and Okamoto-Uchiyama schemes 

Compared with the converted ElGamal scheme presented by Tsiounis and 
YungU, which is secure in the IND-CCA2 (i.e. NM-CCA2) sense, our converted 
one is at least twice as efficient as theirs under the same assumptions, the random 
oracle model and the decision Difhe-Hellman assumption. 
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2 Definitions and Security Models 

In this section, we give some definitions about encryption scheme security. Ba- 
sically, we follow the terminology in 

Definition 1. Let A be a probabilistic algorithm and let A(xi, . . . , Xn', r) be the 
result of A on input {x \, . . . , Xn) and coins r. We define by y ^ A{x \, . . . , Xn) 
the experiment of picking r at random and letting y be A{x \, . . . , Xn] r). If S is 
a finite set, let y S be the operation of picking y at random and uniformly 
from finite set S. e denote the null symbol and, for list t, t e denote the 
operation of letting list t be empty. Moreover, let || denote the concatenation 
operator and, for n-bit string x, [x\^ and [a;]fc denote the first and last k-bit 
strings of x respectively (k <n). 



Definition 2. [Pnblic-Key Encryption] We say that a triple of algorithm 
II := {JC,£,T>) is a public-key encryption scheme if 

— K., the key- generation algorithm, is a probabilistic algorithm which on input 

(k G N) outputs, in polynomial-time in k, a pair (pk,sk) of matching 
public and secret keys. 

— £, the encryption algorithm, is a probabilistic algorithm which on input 

public-key pk and plaintext x G {0,1}^ outputs ciphertext y in polynomial- 
time in k. We denote by £pk : {0, 1}^ x {0, ^ {0, the map from 

the product of k-bit message and l{k)-bit coin-flipping spaces to n{k)-bit ci- 
pher space, where functions, l{-) and n(-), are positive integer valued func- 
tions bounded in some polynomial, namely l{k),n{k) < 3poly{k) for enough 
large k. 

— T>, the decryption algorithm, is a deterministic algorithm which on input 
secret-key sk and ciphertext y outputs Tlskiy) such that 

^ . . ( X G {0, 1}^ if there exists x such that y = £pk{x) 

sk[y) ■ (null) otherwise. 

We say that ciphertext y is valid if there exists a plaintext x such that y = 
£pk{x). We insist that in a public-key encryption scheme the map from the 
plaintext space to the ciphertext space should be one-to-one (injective): the 
decryption of each ciphertext should be unique. 



Definition 3. [Random Oracle Model] We define by fl the set of all maps 
from the set {0, 1}* of finite strings to the set {0, 1}°° of infinite strings. H fl 
means that we chose map H from a set of an appropriate finite length (say 
: {0, 1}“^ to a set of an appropriate finite length (say {0, 1}^^, from Q at random 
and uniformly, restricting the domain to {0, 1}“ and the range to the first b bits 
of output. If £ and T> in public-key encryption scheme II are allowed to access 
such identical map H, we say that the scheme is defined in the random oracle 
model. If we insist on the fact, then we will denote II := {K.,£^ ,T>^). 
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Below, we give the precise definitions of GOAL-ATK described in Sec^J 
Due to the space limitations, one-wayness is not described. 

Definition 4. [IND-ATK] Let n := (IC,£,'D) be a public-key encryption 
scheme and let A := (^ 1 ,^ 2 ) be a pair of probabilistic algorithms (say Ad- 
versary). For atk G {cpa,ccal,cca2} and k gN, let define 

:= 2Pr[77 ^ Q; {pk, sk) ^ /C(l'=); {xq, Xi, s) ^ A^^’^{pk); 
b {0, 1}; y ^ £pk{xb) ■ A^^’^{xq, Xi, s, y) = b] - 1. 

Here, Oi{-), 02{-) are defined as follows: 

— If atk=cpa then Oi(-) = e and 02{-) = s 

— If atk=ccal then Oi(-) = Fsk{') and 02(’) = £ 

— If atk=cca2 then Oi(-) = T>sk\') and 02(-) = Fsk{') 

In addition we define that Ai outputs xq, xi with |a;o| = |a:i| and, in the case of 
IND-CCA2, A 2 does not ask its oracle to decrypt y. 

We say that II is secure in the sense of IND-ATK if for any adversary A 
being polynomial-time in k Adv^^~^^^{k) is negligible in k. 

We insist that A := (^ 1 ,^ 2 ) is not allowed to access to H in the standard 
model. When we insist on that, we write A^^ and A^^ instead of A^^'^ and 
^ 2 ^’ , respectively. On the other hand, when we insist on the random oracle 
model, we write andV(^f.{-) instead of £pk{-) and Dgki') , respectively. 

Definition 5. [NM-ATK] Let n := {JC,£,D) be a public-key encryption 
scheme and let A := (^ 1 ,^ 2 ) be a pair of probabilistic algorithms (say Ad- 
versary). For atk G {cpa,ccal,cca2} and k gN, let define 

AdvX^-^*Hk) ■■= \Succf^-^*^{k) - Succf^-f^{k)\ 

where Succ^^~^^^{k) := 

Pr[H ^ 17; {pk, sk) ^ (M, s) ^ x,x' ^ M;y ^ £pk{x); 

{R, y) ^ A^'^'^{M, s, y); x ^ V^kiv) ■ {y ^ v) L {e(null) ^ x) A R{x, a;)] 

and := 

Pr[77 ^ 17; {pk, sk) ^ /C(l''); {M, s) ^ A'^^'^{pk); x,x' ^ M-,y ^ £pk{x)', 

{R, y) ^ A^'^'^{M, s, y); x ^ Vsk{v) ■ {y ^ v) L {e(null) ^ x) A R{x' , a;)] 

Here, 0\{-), 02{-) are defined as before. In the case of IND-CCA2, A 2 does 
not ask its oracle to decrypt y. 

We say that M is valid if \x\ = |a;'| for any x, x' that are given non-zero 
probability in the message space M . 
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We say that U is secure in the sense of NM-ATK if any adversary A being 
polynomial-time in k outputs a valid message space M samplable in polynomial 
in k and a relation R computable in polynomial in k, then Adv^^~^^^{k) is 
negligible in k. 

We insist that A := (Ai,A 2 ) is not allowed to access to H in the standard 
model. When we insist on that, we write and A^'^ instead of A^^’^ and 
^ 2 ^’ ; respectively. On the other hand, when we insist on the random oracle 
model, we write andT>^^{-) instead of £pk(-) andT>sk{-), respectively. 

We review some important results proven in ^ below. Here, as mentioned 
above, for A, B S GOAL-ATK “A ^ B” (say, A implies B) denotes that encryp- 
tion scheme U := {JC,£,'D) being secure in the sense of A is also secure in the 
sense of B, while “A -f^ B” (say, A doesn’t imply B) denotes U being secure in 
the sense of A is not always secure in the sense of B. 

Proposition 1. IND-CCA2 NM-CCA2. 

From this proposition, it is clear that 

Corollary 1. IND-CCA2 < — » NM-CCA2. 

Proposition 2. IND-CCAl -/-* NM-CCA2. 

The following definition is utilized to discuss security more exactly (exact 
security) . 

Definition 6. [Breaking Algorithm] Let II := {JC,£,'D) be a public-key en- 
cryption scheme. We say that an adversary A is a {t, qn, qv, e) -breaker for II (W) 

in GOAL-ATK if Adv^'^ > e and, moreover, A runs within at most run- 

ning time t, asking at most qn queries to H{-) and at most qx> queries to T>sk{’)- 
In addition, qn denotes the number of queries A asks to random function H{-), 
and similarly, qx> denotes the number of queries A asks to decryption oracle 
T>sk{‘)- In the case of atk = cpa, then qv = 0. In the case of the standard model, 
then qn = 0. 

In the following, we will recall the notion of Plaintext Awareness and the 
main results. 

Definition 7. [Plaintext Awareness (PA)] Let II := {JC,£,T>) be a public- 
key encryption scheme, let B be an adversary, and let K be an polynomial-time 
algorithm (say knowledge extractor) . For any k G N let 

Suc(?^bA^^ := Pr[i7 ^ 17; {pk, sk) ^ /C(l'=); 

{T,r],y) ^ runB^'^^*‘ (pk) : K(r,r],y,pk) = X>sfc(y)], 

where r := {{hi,H{), ... , {hq„,Hq„)}, r] := {yi, . . . ,yq^}, and y ^ q. We de- 
scribe a supplementary explanation: By (r, 77 , y) <— runB^’^p’^ (pk) we mean the 
following. Run B on input pk and oracles H() and £pk() and record (T,rj,y) 
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from B ’s interaction with its oracles, t denotes the set of all B ’s queries and 
the corresponding answers of H{-). rj denotes the set of all the answers (cipher- 
texts) received as the result of £pk- Here we insist that rj doesn’t include the 
corresponding queries (plaintexts) from B. y denotes the output of B. 

We say that K is a {t, \{k)) -knowledge extractor if Succ^^ n(^) — '^(^) 

K runs within at most running time t (or t steps). 

We say that H is secure in the sense of PA if H is secure in the sense of IND- 
CPA and there exists a (t, \{k)) -knowledge extractor K where t is polynomial in 
k and (1 — A(fc)) is negligible in k. 

The following results proven in Q is important. 

Proposition 3. PA IND-CCA2 in the random oracle model. 

Corollary 2. PA — > NM-CCA2 in the random oracle model. 

3 Basic Scheme 

Suppose a public-key encryption scheme, H:= (/C,5,2A), exists which is se- 
mantically secure against every chosen-plaintext (passive) attack (IND-CPA). 
Let fco(-), ^o(’)) K') n(-) be positive integer valued functions bounded in 

some polynomial, namely ko{k),lo{k),l{k),n{k) < 3poly{k) for enough large 
k. We denote by 7T(l^+^“) = {JC,S,'D) a public-key encryption scheme with 
(fc-|-fco(fc))-bit length plaintext space, ^(fc-|-fco(fc))-bit length random value space 
and n(k -\- fco(fc))-bit length ciphertext space: 

fpfc : {0, !}'=+'=« X {0, 1}' ^ {0, 1}" and V^k ■ {0, 1}" ^ {0, 1}'=+'=°, 

where we write fco, I, and n for fco(fc), l(k -|- fco(fc)) and n{k -I- fco(fc)). In public- 
key encryption scheme 7T, the (encryption) map from the plaintext space to the 
ciphertext space is one-to-one (injective). In addition, we define by 

lo{k -k fco) := log 2 ( min [#{fpfc(a;, r)|r G {0, 1}'}]) 

a:G{0,l}'‘+'=o 

the minimum number of the cardinality of encrypted values for fixed plaintext 
X. We often write Iq for lo(k -\- fco) for simplicity. Furthermore, we define by 
H : {0, l}^+^o ^ {0, an ideal hash function. 

We introduce a new public-key encryption scheme, 7T := which is 

derived from II and hash function H as follows: 

Basic Scheme II := {iC,£,'D) 

— := /C(l^+^“) where fco denotes fco(fc) for simplicity. 

- Bpk : {0, 1}'= X {0, 1}'=° ^ {0, 1}" is defined by 

£pk(x,r) := £pk{x\\r,H{x\\r)), 
where |a;| = fc, |r| = fco, and n := n{k -\- fco(fc)). 
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- T)sk{y) ■ {0, 1}” ^ {0, 1}'= is defined by 

f, if y = £pk{'Dsk{y),H{VM)) 

sk\yj ■ g (null) otherwise 
where ['Dgkiy)]’^ denotes the first k-bit of T>sk{y)- 

Hereafter we will show that U is semantically secure against every adaptive 
chosen-ciphertext attack. 

4 Security 

In this section, our goal is to prove Theorem^ This theorem doesn’t only show 
that if n is IND-CPA secure then H is IND-CCA2, but also show the exact 
reduction cost from n to II. The proof of Theorem^is derived from Theorems, 

QandQ 

We begin by showing Theorem J Recall that ko{-), l{') ^>^4 n(-) are 

functions bounded in some polynomial, namely ko{k),l{k),n(k) < 3poly{k) for 
enough large k and, for simplicity, we often use fco, Iq, I, and n for fco(fc), lo{k + 
fco(fc)), l{k + fco(fc)) and n{k + ko{k)). 

Theorem 1. [Knowledge extractor K of IJ] If there exists a {t,qH)-adver- 
sary B, then there exist a constant cq and a (t' , X{k)) -knowledge extractor K 
such that 



t' = t qniTs^k) Cq ■ k) and 
A(fc) = 1 - 2~^°. 

Here Ts^k) denotes the computational running time of the encryption algorithm 
£pk{-) and Iq := log 2 (min 2 .g {o.i}'^+ho[#{£pk{x,r)\r e {0, 1}'}]). 

Proof. The specification of knowledge extractor K is as follows: 

Extractor: K{T,r],y,pk) 

for qn times do 

if y == £pk{hi,Hi); 

then X <— [hj^ and break 
else X ^ e (null) 
return x 

End. 

Here note that r := {{hi, Hi), . . . ,{hq^, Hq^)}. 

Now we define cq as corresponding to the computation time of comparing 
a bit to a bit plus some overhead, which depends on details of the underlying 
model of computation of K. Then, from the specification, K runs within t -|- 
qH{Te{k) + CQ-k) time. 

Next we think of the probability that K outputs the plaintext, x, correctly, 
namely x = Vsk{y)- Here let Fail be an event assigned to be true iff a; yf Bskiy) 
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and let AskH be an event assigned to be true iff there exists {hi, Hi) in the list 
T such that y = £pk{hi, Hi). Then it follows that 

Pr[Fail] = Pr[Fail\AskH] ■ Pr[AskH] + Pr[Fail\^AskH] ■ Pr[^AskH] 

< Pr[Fail\AskH] + Pr[Fail\^AskH] < 0 + 

If AskH is true then K never fail to guess the plaintext x and hence it is 
clear that PY[Fail\AskH] = 0. 

Next in the case that ^AskH is true, K outputs £: K guess y as invalid. 
Therefore, the probability of K's failure is that of B outputting valid y. We 
explain that Pr[Fail\^AskH] is at most 2“^“ in the following. 

Let us define event good y by being true iff Vskiy) ^ £• Don’t confuse it with 
valid y: valid y is defined to be true iff Vskiy) ^ £• Then note that 

Pr[P] := Pr[Fail\^AskH] = Pr[P| good y] ■ Pr[good y] 

+ Pr[P\^good y] ■ Pr[-^good y] < Pr[P\good y\. 

Therefore, it is enough to think of Pr[P| good y]. 

Recall that Iq := log 2 {inim^^^Q iyk+ko[^{£pk{x,r)\r G {0,1}^}]). For good y, 
let define by Hy the set of {h, Hj)’s such that y = £pk{h, Hj). Here j G {1, . . . , s} 
and s < 2^~h. Then since rj :={yi,... ,yq,^} and y ^ rj, it follows that h yf 
T>sk{yi) for every yi G rj. Therefore, for fixed good y (and h), since B doesn’t ask 
query h to oracle H{-), 

Pr[P| good y] = Pr [H{h) €Hy] = s- 2"' < . 

This means that 

Pr[P] := Pi[Fail\^AskH] < Pi[P\good y] < 2~^° . 

Hence, \{k) = 1 — Pr[Faz^] = 1 — 2~h . 

Theorem 2. \H-. IND-CPA secure] If there exists a {t, qn, 0, e)-hreaker A := 
(Ai,A 2 ) for H{1^) in the sense of IND-CPA in the RO model, then there exist 
a constant ci and a ft' , 0, 0, e')-hreaker A! := (H(, A'^) for in the sense 

of IND-CPA (in the standard model) where 

t' = t + Cl ■ qn • k, and e' = e — qn • 

Proof. We run A! := in the IND-CPA and standard model setting, 

using A := (Ai,A 2 ) as oracles respectively. 

Basically, when Ai asks query h, A' works as follows: If h has not been 
entered in list r. A', choosing Lbit random string H, makes an entry of {h, H) 
in r and answers Ai with H. If {h, H) is already in list r. A' answers Ai with the 
corresponding H. The list r is empty at first. When Ai outputs (a;o,a:i,s), A'^ 
outputs (a;o||ro, a:i||ri, s) where vq, ri are fco-bit random strings generated by A(. 
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Then, outside A', y := Spk{Xb, R) is computed using a random bit b G { 0 , 1 } and 
l-bit random string R, where Xq := (a;o||?’o) and Xi := (a;i||ri). y is inputted on 
A'2 as well as (Xq, ^1, s). 

If A2 asks either Xq or Xi as a query, A'2 makes A2 stop and outputs the 
corresponding 6 € { 0 , 1 } as an answer, otherwise A2 follows the basic rule men- 
tioned above. When A2 asks neither of them, A'2 outputs b that A2 output as 
an answer. 

The argument behind the proof is as follows: If A2 asks a query to 
which coincides with either (a;o||?"o) or (a;i||ri), it is almost equivalent to T>sk{y), 
because (even unbounded powerful) A2 has no clue to fco-bit random string 
where b is the complement of bit b. Therefore, if A2 asks either of them, the 
corresponding b is expected to be valid. On the other hand, if A2 asks neither of 
them, A2 is expected to output valid b because A2 cannot distinguish y from a 
correct ciphertext for ^2- 

The specification of adversary A! := {A'^, A'2) is as follows: 

Adversary: 

e; 

run Ai{pk) 

do while Ai does not make H -query h. 

iih^ Th, where th is the list of ft-’s in r 

put (ft-, H) on the list r; 
answer A\ with H; 
else h G Th 

answer Ai with H such that (h,H) G r 
Ai outputs (xo,a;i,s) 
ro,ri { 0 , !}'=«; 
return (a;o||ro, xi||ri, s) 

End. 



Adversary: A'2(a;o| |ro, | |ri, s, y) 
run A2(a:o,a;i,s, y) 

do while A\ does not make ftf-query ft. 

if ft == (a:h||rh) for ft G { 0 , 1 } 
stop A2 and output ft 

else \i h ^ Th, where th is the list of ft’s in r 

h^r{q,iY- 

put (ft, H) on the list r; 
answer A\ with H\ 
else h G Th 

answer Ai with H such that (h,H) G r 
A2 outputs ft 
return ft 



End. 
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Here, from Definition^ b is chosen from {0, 1} with probability 1/2, R is an 
^-bit random string, and y = £pk{xb\\rb, R). 

Cl corresponds to the computational time of comparing a bit to a bit, coin- 
flipping, and some overhead, depending on details of the underlying model of 
computation of A! . Then, from the specification of A! , it runs within at most 
running time (t + c\ ■ qh ■ k). 

We now analyze the success probability of adversary A! := First 

we define the following events: 

SuccA := [H ^ 17; {pk, sk) ^ (a;o, X\, s) ^ A^ {pk)] b {0, 1}; 

Xb,n {0: ^ £pk{.{.Xb\\rb),H{xb\\rb)) ■ A^(j;o,a;i,s,y) = 5], 

Succ^ := [{pk, sk) ^ /C(l'=+'=«); (Xq, W, s) ^ A[{pk'); b {0, 1}; 

Rb^ Rb {0) 1}^“; y ^ £pk{Xb, Rb) ■ A' 2 {Xo, Xi, s, y) = b], 

where b denotes the complement of b. 

We can define the advantages of A and A£ , without loss of generality, as 
Advf^-^^^{k + ko) := 2-Pr[5uccH]-l, and Adv^^%^^^{k) := 2 -Py[SuccA']-1. 

Next, let us define by AskO an event assigned to be true iff a query of A 2 
coincides with {xb\\rb) and by Askl an event assigned to be true iff a query of 
A 2 coincides with (a; 5 ||r 5 ). Then, 

Pr[S'ucc7l] = Pr[S'MccA|7lsfc0] • Pr[Hsfc0] -I- Pr[S'uccH|(^Asfc0) A Asfcl] 

• Pr[(^Hsfc0) A Askl] + Pr[S'uccH|(^Hsfc0) A (^Hsfcl)] 

• Pr[(^Hsfc0) A (^Hsfcl)] and 

Pv[SuccA'] = Pr[S'uccH'|Hsfc0] • Pr[Hsfc0] -I- Pr[S'uccH'|(^Hsfc0) A Askl] 

• Pr[(^Hsfc0) A Askl] + Pr[S'uccH'|(^Hsfc0) A (^Hsfcl)] 

• Pr[(^Asfc0) A (^Hsfcl)]. 

From the specification of A' , it is clear that Pr[S'uccH'|Hsfc0] = 1, Vy\SuccA'] 
(^HsfcO) AHsfcl] = 0 and Pr[5uccH|(^Hsfc0)A(^Hsfcl)] = Pr[5uccH'|(^Hsfc0) A 
(^Hsfcl)]. Hence, Pr[5uccH'] is at most Pr[(^Hsfc0) AHsfcl]) less than Pr[5iiccH] 
because 

Pr [SuccA'] — Pr [SuccA] = (1 — Pr [SuccA jAsfcO]) • Pr[Asfc0] 

— Pr[SuccA|(^Asfc0) A Asfcl] • Pr[(^Asfc0) A Asfcl] 

> — Pr[(^Asfc0) A Asfcl] . 



Finally, we have 

Pr [SuccA'] > 

since we infer that Pr[(^Asfc0) A Asfcl] < 
Therefore, we have that e' = e — ■ 
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From Definitionjand Theorems, Jandfl II is secure in the sense of PA, and 
hence, by Proposition^ secure in the sense of IND-CCA2. Thus, our interest in 
the following theorem is focused on the efficiency of the reduction. 

Theorems. [Zf: IND-CCA2 secure] If there exists a {t,qH,qD,()-breaker 
A := (Ai, A 2 ) for in the sense of IND-CCA2 in the RO model, then there 

exist constants, c, and {1 ,0,0, e') -breaker A' := for 7T(l^+^“) in the 

sense of IND-CPA (in the standard model) where 

t' = t qn • {Te{k) c- k), and 

e' = (e-qn • • (1 

Tslk) denotes the computational running time of the encryption algorithm £pk{-) 
and Iq := log 2 (min 3 .g {o.i}'^+ho[#{£pk{x,r)\r G {0, 1}'}]). 

c corresponds to cq -I- ci . We omit the proof because it is straightforward from 
the following specification of adversary A': 

Adversary: A[{pk) 
e; 
e; 

run 

do while Ai makes neither 7Z-query h nor D-query y' 
if Ai makes iZ-query h. 
lih^Th 
h^r{0,iY-, 

put {h, H) on the list r; 
answer A\ with Zf; 
else h G Th 

answer Ai with H such that {h, H) G r 
else if Ai makes iZ-query y' . 
run K{T,T],y' ,pk) 

K outputs x’ 
answer A\ with x' 

Ai outputs (xo,Xi,s) 
ro,ri {0, 
return (a;o||ro, a;i||ri, s) 

End. 

Adversary: A' 2 (a;o| |ro, Xi\\ri,s,y) 

?7 ^ y; 

run Af^^'^{xo,Xi,s,y) 

do while Ai makes neither Zf-query h nor ZZ-query y' 
if Ai makes Zf-query h 

if [h]ko == rb, where [h]ko the last fco-bit of h 
stop Ai and output b 
else iih ^ Th 
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h^r{o,iY-, 

put {h, H) on the list r; 
answer A\ with H\ 
else h G Th 

answer Ai with H such that (h,H) G r 
else if makes Z3-query y' 
run K{t, rj, y' ,pk) 

K outputs x' 
answer A\ with x' 

Ai outputs b 
return b 

End. 

5 Examples: Enhanced Probabilistic Encryptions 

In this section, we convert IND-CPA secure ones to IND-CCA2 (or NM-CCA2) 
secure ones. The ElGamal, Okamoto-Uchiyama, and Blum-Goldwasser encryp- 
tion schemes are candidates, since they are practical and secure in the 

IND-GPA sense under some reasonable assumptions; the decision Difhe-Hellman 
I p-subgroup, and factoring assumptions, respectively. 

[Enhanced ElGamal scheme] 

— Key-generator IC: {pk, sk) ^ := 

— pk ■= {p,q,g,y) and sk := {p,q,g,s) where y = g^modp, \p\ = k + fco, 
s G TjlqlA, q\p— 1, and # < 5 >= q. 

— Hash function H: {0, l}^+^o — > 1,1 qL. 

— Encryption E\ 

{y\,vi) := Epk{x,r) ■- mod p, (a;||r) © modp)), 

where message x G {0, 1}^ and r {0, 1}^“. 

— Decryption T>: 

, \ / [?/2 © iVi modp)]^ if 2/1 = p^(j^2e(ylmodp)) 

sk[yi,y2j ■ ^ (null) otherwise 

where [j/2 © (2/1 niodp)]^ denotes the first k-bit of 2/2 © (2/1 niodp). 



Lemma 1. In the random oracle model, the Enhanced ElGamal encryption 
scheme is secure in the sense of NM-CCA2 (or IND-CCA2) if the decision 
Diffie- Heilman problem is intractable. 

^ To our knowledge, Tsiounis and Yung first proved in that the ElGamal en- 
cryption scheme is as secure as the decision Difiie-Hellman problem. In addition, 
they also presented a converted ElGamal scheme which is NM-GGA2 secure in the 
random oracle model. However, our converted one is more efficient than theirs. 
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[Enhanced Okamoto-Uchiyama scheme] 

— Key-generator iC\ {pk, sk) ^ := 

— pk := {n,g,h,k) and sk := {p,q) where n = p^q, \p\ = jgl = fc -I- fco, g S 
(Z/nZ)* such that the order of Pp := mod p^ is p, and h = g"^ mod n. 

— Hash function H: {0, i}fc+fco-i — > ijnl. 

— Encryption £: 

V := Epkix, r) := mod n, 

where message x G {0, 1}^ and r {0, 

— Decryption T>\ 

^ . . j if y = mod n 

^ 'I £ (null) otherwise 

where t/p := modp^, L{x) := and X := modp. 

Lemma 2. In the random oracle model, the Enhanced Okamoto-Uchiyama en- 
cryption scheme is secure in the sense of NM-CCA2 (or IND-CCA2) if the 
p-subgroup problem (see is intractable. 



[Enhanced Blum-Goldwasser scheme] 

— Key-generator jC: (pk, sk) ^ £(1^) := 

— pk := (n) and sk := (n,p,q) where n = pq, \p\ = |g| = k/2, and p,q are 
William integers (i.e. p,q = 7 (mod 8) and primes). 

— Hash function H: {0, l}^+^o — > Z/nZ. 

— Encryption £: 



(yi,y 2 ) ■■=£pk{x,r) := {H{x\\r)‘^ mod n, x®R). 

where message x G {0,1}^, r <— /{ {0,1}^“, and R := LSB[H{x\\r)‘^\ \\LSB 
[H{x\W^] \\---\\LSB[H{x\\r)^\ 

— Decryption T>\ 



V Am uA ■= I [2/2 ® if yi = ^(V 2 © mod n 
* ’ ( £ (null) otherwise 



where R := LSB[yi ] 1 1 • • • \ \LSB[y\ 



Lemma 3. In the random oracle model, the Enhanced Blum-Goldwasser en- 
cryption scheme is secure in the sense of NM-CCA2 (or IND-CCA2) if the 
factoring problem is intractable. 
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6 Conclusion 

This paper presented a simple and efficient conversion from a semantically secure 
public-key encryption scheme against passive adversaries to a non-malleable (or 
semantically secure) public-key encryption scheme against chosen-ciphertext at- 
tacks {active adversaries) in the random oracle model. Our conversion incurs 
minimum cost, i.e., only one random (hash) function operation. We also showed 
that our security reduction is (almost) optimally efficient, or exact security. 
Finally this paper presented some practical examples, the enhanced ElGamal, 
Blum-Goldwasser and Okamoto-Uchiyama schemes. 

Acknowledgment 

The second author would like to thank Phillip Rogaway for useful discussions. 

References 

1. M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for De- 
signing Efficient Protocols,” Proc. of the First ACM Conference on Computer and 
Communications Security, pp. 62-73. 

2. M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption — How to encrypt 
with RSA” Advances in Cryptology -EUROCRYPT’94. 

3. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among No- 
tions of Security for Public-Key Encryption Schemes” Advances in Cryptology 
-CRYPTO’98. 

4. M. Blum, and S. Goldwasser, “An efficient probabilistic public-key encryption 
scheme which hides all partial information”. Proceeding of Crypto’84, LNCS 196, 
Springer- Verlag, pp. 289-299 (1985). 

5. R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure 
against adaptive chosen message attack”. Advances in Cryptology -CRYPTO’98, 
Springer- Verlag, 1998. 

6. D. Dolev and C. Dwork and M. Naor, “Non-malleable cryptography”. Proceeding 
of STOC91, pp 542-552. 

7. T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Dis- 
crete Logarithms,” IEEE Transactions on Information Theory, IT-31, 4, pp.469- 
472, 1985. 

8. S. Goldwasser, and S. Micali, “Probabilistic Encryption”, JCSS, vol.28, pp.270- 
299, 1984. 

9. T. Okamoto, and S. Uchiyama, “A New Public-Key Cryptosystem as Secure as 
Factoring”, Advances in Cryptology -EUROCRYPT’98, Springer- Verlag, 1998. 

10. R. Rivest, A. Shamir and L. Adleman, “A Method for Obtaining Digital Signatures 
and Public Key Cryptosystems”, Communications of ACM, 21, 2, pp. 120-126, 1978. 

11. Y. Tsiounis and M. Yung, “On the Security of ElGamal based Encryption”, 
PKC’98, January, 1998. 




Encrypted Message Authentication by Firewalls 



Chandana Gamage, Jussipekka Leiwo, and Yuliang Zheng 

Peninsula School of Computing and Information Technology 
Monash University, McMahons Road, Frankston, Vic 3199, Australia 
{chandag, skylark,yuliang}@pscit .monash.edu. au 



Abstract. Firewalls typically filter network traffic at several different 
layers. At application layer, filtering is based on various security relevant 
information encapsulated into protocol messages. The major obstacle 
for efficient verification of authenticity of messages at application layer 
is the difficulty of verifying digital signatures without disclosure of con- 
tent protected by encryption. This is due to a traditional paradigm of 
generating a digital signature of a message and then encrypting the sig- 
nature together with the message to preserve confidentiality, integrity, 
non-repudiation and authenticity. To overcome this limitation, a scheme 
shall be proposed for enabling signature verification without disclosing 
the content of messages. To provide maximum efficiency, the scheme is 
based on digital signcryption. 

Keywords. Encryption, Digital Signatures, Firewalls, Confidentiality, 
Authenticity, Network Security, Signcryption, Public Key Cryptography 



1 Introduction 

Firewalls are one of the most useful and versatile tools available for securing a 
LAN and other applications such as constructing secure private virtual networks 
They are typically operated as a filtering gateway QQ at the LAN-WAN 
interface, usually a router. Firewalls operating at data link level perform a prim- 
itive level of filtering based on frame level addressing. The network level fire- 
walls work at a step higher and filter packets based on a set of rules including 
packet addresses, port addresses and possibly packet header authentication as 
supported by new IPv6 extensions. The most comprehensive filtering is done at 
the application layer with end-user level authentication of messages. 

For secure communication using public key cryptography, the standard prac- 
tice is for a sender to sign a message (or its hash) using her secret key and then 
encrypt the message and the signature using receivers public key. The signature 
is used to provide sender authenticity, message integrity and message origin non- 
repudiation while encryption provide message confidentiality. Other redundant 
information such as time-stamps or sequence numbers in messages can be used 
against replay and existential forgery attacks. When this cipher text message 
reaches its intended recipient, he first decrypts the cryptogram using his secret 
key. Then the signature is verified using senders public key. 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 69-^| 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 
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Fig. 1. Application-level firewall used for inward message authentication in a 
LAN 

1.1 The Problem 

In a LAN secured with a firewall, this standard use of public key cryptographic 
techniques for secure communication causes serious difficulties in filtering. As 
both the signed message and the signature is encrypted, the filtering process 
at the firewall cannot authenticate the message independent of the end-point 
receiver. The firewall cannot access the signature as the cryptogram cannot be 
decrypted without receivers secret key. This scenario is illustrated in figure Hfor 
communication between external user Alice and LAN user Bob. 

Another problem from the users view point is that they may want to maintain 
the confidentiality of their communication while allowing the firewall to verify the 
message origin for filtering. Most widely used digital signature schemes require 
access to the signed text for signature verification (schemes with appendix such 
as DSA ^3, ElGamal ^9^3 Schnorr or recover the message as 

part of the verification step (such as RSA ^3, Rabin ^3 or Nyberg-Rueppel 



1.2 Research Contribution 

This problem of authentication of secure messages by a firewall is common to 
all widely used public key cryptosystems that use standard sign-then-encrypt 
mode of operation. We suggest that following properties should be satisfied by 
any practical scheme which aim to solve the problem: 

Property 1. Preserve the semantics of signature-then- verification. 

Property 2. Signature verified without access to the plain text. 

Property 3. Should not increase the original computational and transmission 
costs incurred by end-user signer or verifier. 

Property 4. Cost of signature verification by the firewall, measured in terms 
of computational and transmission effort, should not be greater than that 
for the end-user verifier. 
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In section 5 we present a complete solution to this problem which is more 
efficient than standard sign-then-encrypt schemes. 

1.3 Structure of the Paper 

There are seemingly straightforward ways to achieve authenticity without disclo- 
sure of messages in a public key cryptographic setting. These alternative mech- 
anisms shall be summarized in section and reasons pointed out why they are 
not capable of adequate security and objectives of this research. The proposed 
mechanism shall be established in section | and informal arguments shall be 
provided for security and performance of the proposal. The informal discussion 
shall be enhanced and a formal proof of security of the proposed scheme shall be 
given in section^ Section^shall conclude with remarks highlighting important 
issues related to the proof mechanism used in this paper. 

2 Related Work 

We will first discuss two straightforward solutions to the problem outlined above 
and resulting security implications for those schemes. 

Reordering If the cryptographic operations are reordered so that encryption 
is followed by signing, anyone can verify the signature while not compro- 
mising the confidentiality of the encrypted message. However, reordering is 
not a desirable option as an adversary could replace an original signature 
with his own in particular situations to obtain some advantage even without 
knowledge of the actual message content. 

Chen and Hughes in | discuss the security protocol failures due to reorder- 
ing when RSA encryption is used. Their work is an extension of the general 
attack presented by Anderson and Needham in Q for protocols that sign 
after encryption. Apart from the apparent insecurity, this mode of operation 
does not satisfy the first and second properties listed earlier. 

Signcryption with public key only signature verification The original 
signcryption primitive proposed in by Zheng combines the sign-then- 
encrypt two-step process to create a secure authenticated message into a 
single logical step with significant savings in both computational and trans- 
mission costs. A disadvantage for some applications such as firewall authenti- 
cation is that only the intended recipient can verify the message. A modified 
signcryption scheme was proposed in Q by Bao and Deng to overcome this 
limitation at the cost of increased computational cost while still preserving 
the transmission cost savings achieved by the original scheme. Two disad- 
vantages of this modified signcryption scheme are: 

1 . The signature verification only mode of operation can be used only after 
the original recipient has recovered the plain text message. 

2. The plain text message must be forwarded to a third party for signature 
verification and the message confidentiality is lost. 
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Therefore, this scheme is unusable by a firewall as a message must be recov- 
ered by the end-user prior to firewall verification which violate the second 
property listed earlier. Hao Zheng and Robert Blakley have also pro- 
posed a similar scheme called Authenticryption based on ElGamal signature 
scheme and its variants. This scheme is also unusable for implementing fire- 
wall message authentication as it does not satisfy the last three properties 
we have stated. 

3 Signcryption for Third-Party Verification 

In this section, we show that with a small change to the original signcryption 
scheme it is possible to modify the Bao-Deng scheme to carry out signature 
verification without accessing the plain text. The advantages of this new mode 
of operation for signcryption are: 

1. The cipher text only signature verification that preserves confidentiality of 
the original message without altering sign-then-encrypt paradigm (first and 
second properties). 

2. The computational cost is higher than in original scheme of Zheng but 
lower than Bao-Deng modified scheme and thus standard sign-then-encrypt 
schemes (third and fourth properties). 

3. The transmission cost saving of the original signcryption scheme is preserved 
(third property). 

The main parameters used in the signcryption scheme are p : a large prime 
number, q : a large prime factor of p— 1, p : an integer in [1, . . . ,p— 1] with order 
q mod p, hash : a cryptographically strong one-way hash function of the form 
{0, 1}* ^ {0, 1}^ where I is a security parameter, {E, D) : the encryption and 
decryption algorithms of a private key cipher such as DES, Xa '■ Secret key of 
Alice, a randomly chosen integer, pa : Public key of Alice (pa = mod p), Xb 
: Secret key of Bob, a randomly chosen integer, pb : Public key of Bob {pb = g^’’ 
mod p) and m : a message. 



3.1 Scheme for Single Prover - Single Verifier 

Signcryption Choose an integer x randomly from [1, . . . , p — 1] and compute 
k = hash{y^ mod p) and y = mod p. The signcrypted cryptogram (c, r, s) 
is computed by Alice as 
c = Efc(m) 
r = hash{y, c) 
s = mod q 

Remark 1. We compute r by taking the hash value of c instead of m as in 
the original scheme. This change results in a corresponding change for the 
unsigncryption step. Also, we do not hash the value of y as in Bao-Deng 



Encrypted Message Authentication by Firewalls 



73 



scheme as that hashing operation is redundant. Note that we have delib- 
erately put y before c. Here, y can be pre-computed, and hence hash{y, c) 
can be partially pre-hashed, as every hash works in a block-by-block fashion. 
Otherwise if c is in front of y, then nothing can be pre-hashed until we get 

c. 

Unsigncryption For full unsigncryption with message recovery, Bob will com- 
pute from (c, r, s) 
y = {Vag'^Y mod p 
k = hash{y^'‘ mod p) 
m = Dk{c) 

7 

Accept signature if and only if hash{y, c) = r 
Signature Verification For partial unsigncryption with signature verification 
only, any verifier will compute from (c, r, s) 
y = {yag'^Y mod p 

7 

Accept signature if and only if hash{y, c) = r 

This signature verification does not require access to the plain text message. 

Use of signcryption paradigm has already satisfied our first property and the 
verification without message recovery shown above satisfies second property. In 
next section we give relative estimations of computational and transmission costs 
to show that third and fourth properties are also satisfied. 

3.2 Discussion on Security and Performance 

A question that arises due to our modification of the original signcryption scheme 
is whether the use of cipher text c (a public value) for computing r instead of m (a 
private value) weakens the resulting scheme. The value r, when viewed as corre- 
sponding to the commitment value in a three-move zero-knowledge identification 
scheme, only need to be a random value. For a signature scheme, this random 
value must also be bound to the message m. As we have used a hash function 
to compute r from y and c, both these conditions are satisfied. Therefore, in an 
informal analysis, the modification does not seem to reduce the security of the 
original signcryption scheme. However, given the major weaknesses that arise 
due to even minor changes to cryptographic protocols (see OD)’ i® essential 
to perform a formal security analysis of the proposed scheme. 

Furthermore, we cannot directly use the security arguments given in the 
original signcryption scheme as the modified schemes (both Q and [3) 
are fundamentally different due to the two step computation of the commitment 
value using a secret random integer. In Zheng’s scheme Q, the security of the 
single computed value yf mod p is guaranteed by its equivalence to the com- 
putational Diffie- Heilman problem In Bao-Deng scheme, the computation 
of two values, y^ mod p and g^ mod p using the same secret random integer x 
does not provide such a straightforward security argument. In section Jwe give 
a formal proof of security based on the random oracle model Q and show the 
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Table 1. Comparison of number of exponentiations modulo p 



Operation 


Signcryption 


Modified Signcryption 


DSA sign -I- ElGamal encrypt 


Signcrypt 
Unsigncrypt 
Verify only 


1 EXP 

2 EXP (1.17) 
n/a 


2 EXP 

3 EXP (2.17) 
2 EXP (1.17) 


1 -t 2 EXP 

1 + 2 EXP (1 + 1.17) 

n/a 



pseudo-independence of the two computed values as an adequate guarantee of 
security for the signature scheme. 

In digital signature generation and verification, the computational effort is 
dominated by the exponentiation modulo p. Other computational costs due to 
modular multiplication, addition, inversion and also hashing and symmetric key 
encryption constitute only a small fraction of the overall cost. Therefore, when 
we try to improve the performance of digital signature schemes, the main aim is 
to reduce the number of modular exponentiations in the scheme. In table Hwe 
show that Bao-Deng scheme modified by us can verify a signature at the cost of 
4 modular exponentiations as against 5 for the original Bao-Deng method. The 
values within parenthesis show the instances where 2 modular exponentiations 
can be done for the cost of 1.17 modular exponentiations using the algorithm for 
simultaneous multiple exponentiations page 618]. In table show that 
the modified signcryption scheme in signature verification only mode can achieve 
nearly a 40% saving in computational cost over a standard DSA-ElGamal style 
scheme for secure and authenticated message transmission. 



Table 2. Computational cost savings for modified signcryption over DSA- 
ElGamal 



Operating mode of the modified scheme 


Gost saving 


Signcryption with message recovery 
Signcryption with verification only 


5/6 (4.17/5.17) 17% (19%) 
4/6 (3.17/5.17) 33% (39%) 



4 Formal Proof of Security for Verification only Mode 

The security of a cryptographic protocol such as an encryption scheme or a signa- 
ture scheme can be informally established through its resistance to cryptanalytic 
attacks. However, a more desirable guarantee of security is a formal proof that 
provides arguments for the strength of a particular scheme in a given computa- 
tional model. Currently, there are two main techniques to achieve this goal of 
provable security: (1) complexity theoretic arguments that provide computational 
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reductions to well-known presumably hard problems such as the discrete loga- 
rithm problem, the RSA problem, Diffie-Hellman problem, etc. (2) random oracle 
technique described by Bellare and Rogaway Q which provide a new paradigm 
for security analysis through replacement of hash functions in protocols by an 
ideally random oracle. 

To analyze the security of the verification only signcryption mode, we apply 
the security arguments developed by Pointcheval and Stern for digital signature 
schemes using random oracle technique of Bellare and Rogaway. 

The main result of Pointcheval and Stern is the Forking Lemma which gives a 
probability of finding a forking pair of signatures in the random oracle model 
giving an asymptotic reduction to a hard problem. 



4.1 Security of a Digital Signature Scheme 

There are two main classes of attacks on digital signature schemes and we will 
briefly describe the attacks and their consequences based on the definitions by 
Goldwasser, Micali and Rivest 

1. Key only or no message attacks in which an attacker A has access only to 
public parameters and public keys. 

2. Message attacks in which A has access to pairs of message texts and cor- 
responding signatures. These known message attacks can be further catego- 
rized to four modes depending on the power A has on selecting messages 
signed by the legitimate signer E. 

(a) Known-messages in which A does not choose messages signed by E. 

(b) Generic chosen-messages in which A choose a set of messages to be 
signed before knowing the actual E targeted for attack. 

(c) Directed chosen-messages in which A choose a set of messages to be 
signed after selecting a specific E but before the actual attack. 

(d) Adaptive chosen-messages in which A choose messages for signing dy- 
namically after inspecting signatures he obtained for previous messages. 

The no message attack is the weakest type of attack on a digital signature 
scheme while the adaptive chosen-message attack is the strongest. The outcome 
of attacks on signature schemes are forgeries. There are four main types of forg- 
eries: 

1. Total break in which A recovers the secret key of E under attack. 

2. Universal forgery in which A does not obtain the secret key of E but gains 
the ability to generate valid signatures for any message. 

3. Selective forgery in which A does not obtain the secret key of E but gains 
the ability to generate valid signatures for any set of preselected messages. 

4. Existential forgery in which A is able to create at least one new message 
and signature pair without knowing the secret key. However, the messages 
are only arbitrary bit strings and A does not have any power over their 
composition. 
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The total break is the hardest type of forgery to make while existential forgery 
is the easiest type of subversion of a digital signature scheme. 

Therefore, a proverbly secure digital signature schemes is defined as one that 
could withstand an adaptive chosen-message attack (strongest) to create an ex- 
istential forgery (easiest). Here the attacker is assumed to run in probabilistic 
polynomial time and the success of a forgery to have a non-negligible proba- 
bility. The attacker A, oracle O and signer S are all modeled as probabilistic 
polynomial time Turing machines in the security analysis to follow. The chosen 
message attack is modeled by allowing A to query S as an oracle. We summarize 
the discussion on digital signature security in the random oracle model with the 
following two definitions. 

Definition 1. A signature scheme is {T,Q,e) -secure if an attacker A who is 
limited to Q queries from the random oracle O over a period of time T can 
create an existentially forged signature with probability at most e after a no- 
message attack. The probability is taken over the coin flips of A and O. 

Definition 2. A signature scheme is (T, Q, R, e)-secure if an attacker A who is 
limited to Q queries from the random oracle O and R queries from the signing 
oracle S over a period of time T can create an existentially forged signature with 
probability at most e after a chosen-message attack. The probability is taken over 
the coin flips of A, O and S. 

4.2 Signature Schemes from ZK Identification Schemes 

Fiat and Shamir in have described a three-move identification protocol be- 
tween a prover and a verifier that is perfect zero-knowledge against an honest- 
verifier. They have also used a general technique to derive a provably secure 
signature scheme from the ZK identification protocol and an improved version 
of this signature scheme was presented by Feige, Fiat and Shamir in which 
we recall below. 

The setup phase of the signature scheme chooses two distinct primes p and 
q randomly and compute the composite integer n = pq. The two primes p and q 
are kept secret while n is the public modulus. For a security parameter k which 
is a positive integer, distinct integers si , . . . , Sfc € chosen randomly. A 

public key Kp which is a tuple ('Ci, . . .,Vk) is computed as Vj = sj'^ mod n, 
1 < i ^ and the corresponding private key Ks is the tuple (si, . . . , Sfc). The 
scheme uses a one-way hash function hash : {0, 1}* ^ {0, 1}^ where the security 
parameter k is chosen to prevent off-line attacks on the hash function. 

1. Prover chooses a random value (commitment) r, 1 < r < n — 1, and compute 
the value (witness) u = mod n. 

2. Prover computes the random value (challenge) e = (ei,...,efc) where each 
6i G {0, 1} as e = hash{m\\u) for a message m G {0, 1}*. 

3. Prover computes the value (response) s = r ■ 0^=1 mod n. 

4. Prover sends the signature (e, s) and message m to verifier. 



Encrypted Message Authentication by Firewalls 



77 



5. Verifier computes the value w = ■ 0^=1 mod n and e' = hash(m\\w) . 

The signature is accepted if and only if e' = e. This step is the signature 
verification test. 



Remark 2. We make following observation on the necessary attributes of signa- 
ture schemes that belong to the class derived from ZK identification protocols. 
The transmitted signed message consists of the tuple (challenge, response, mes- 
sage), where: 

1. The witness value is a random permutation from a very large set. 

2. The challenge is simply a one-way hash of the message being signed and the 
witness value. 

3. The response is bound only to witness, challenge, message and private key 
Ks- 

4.3 Properties of Modified Signcryption Scheme 

Drawing from the above observations, we now show that the signature verifica- 
tion only mode has the necessary attributes that make the modified scheme to 
be within the class of signatures derived from ZK identification schemes. 

1. The commitment value is the random integer x and the witness value is y. 
If the length of the output of hash function is sufficiently large, then y is a 
random permutation from a large set of size |"log 2 p] for a given x. 

2. The challenge r is a one-way hash of the cipher text c and the witness y. 
As our intention is to authenticate the cipher message at the input to the 
firewall, use of c instead of the plain text m does not affect the security of 
the scheme. 

3. The response is computed from commitment x (therefore, equivalently the 
witness), challenge r (therefore, including the cipher message c) and private 
key of signer Xa- 



4.4 Security Results 

Arguments for a (T, Q, [^-secure Scheme. We assume a no message attack 
by A with access to O and public key of E with security parameter 1. If A is 
successful in an existential forgery within a time bound T and random oracle 
query bound Q with probability of success e>7Qj2\ then the Forking Lemma 
of Pointcheval and Stern Theorem 10] states that DLP in sub groups of 
prime order can be solved in expected time less than 84480QT /e. 

The proof of above claim can be directly shown by using the same approach in 
Q for the Schnorr signature scheme: After a polynomial replay of A, we obtain 
two valid signatures, (c, r, s) from signing oracle a and (c, r', s') from random 
oracle O with r ^ r' , for the same cipher message using modified signcryption 
scheme. Then we have the following two equalities as part of the signature ver- 
ification test: y = {yaP^Y mod p and y = {ya9^ )® mod p. By solving the two 



78 



C. Gamage, J. Leiwo, Y. Zheng 



equations we can compute the secret key Xa of U as logg ya = ^ inod q. 

That is, if a signature can be successfully forged for any message then the DLP 
can be efficiently solved to reveal the secret values. It is important to note that 
the reduction is to the basic discrete logarithm problem although the security 
of the signcryption scheme is based on computational Difhe-Hellman problem 
which is argued to be less secure 

Arguments for a (T, Q, R, Q-secure Scheme. We assume an adaptive 
chosen-message attack by A with access to O and public key of E with security 
parameter 1. Furthermore A can query E as an oracle. If A is successful in an 
existential forgery within a time bound T, random oracle query bound Q and 
signing oracle query bound R with probability of success e > 10(i?-|-l)(i?-|-Q) /2^ 
then the Forking Lemma of Pointcheval and Stern Theorem 13] states that 
DLP in sub groups of prime order can be solved in expected time less than 

120686gr/e. 

Similar to the proof in the original paper we only need to show that two 
signatures can be forked without using the secret value of E. This is done by 
showing the signatures a due to E and signatures A due to O have the same 
probability distribution. 



a=< (c,r, s) 



X G_r {TZjqTZy 

k = hash{y^ mod p) 
y = mod p 
c = Ek{m) 
r = hash{y, c) 
s = x/{r + Xa) mod q 





f 


X Gfi 2Z jqZZ, 
r Gfl 2Z jq2Z 






S = X 


> and a' = < 


(c, r, s) 


ce{0,i}* 
t = (?/a5"')® mod p 
y = hash(t) 


) 


< 


t ^ 1 mod p 



The probabilities of obtaining a signature a with r computed by E and a' 
with r obtained from O such that y = hash{(jjag'")’^ mod p) yf 1 mod p are 



Pr [c, r, s] = Pr [c, r, s] = 

CT x^ 0 ,r (g — 1)2' 



and Pr [c, r, s] = Pr [c, r, s] = 

O-' V,r [q — 1)2' 



Finally, if E chooses the integer x uniformly and randomly, then the two 
values t = y^ mod p and y = g^ mod p are (pseudo) independent as both g 
and yb = g^’’ mod p are generators in of order q where g is a prime. This 
ensures that the signature verification and partial recovery of bits at the firewall 
does not leak information that can be used in an attack on breaking message 
confidentiality or signature forgery. 



5 Conclusions 

The security proof given in sectionjprovide only an asymptotic security analysis 
(compared to the notion of exact security Q). However, it is possible to give 
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the exact security of the proposed scheme using the concrete security analysis 
methodology of Ohta and Okamoto based on the ID reduction technique. 

As a concluding remark, we observe that Canetti, Goldreich and Halevi Q 
have given counter-examples for protocols proverbly secure in the random oracle 
model but found to be insecure in practical implantation using cryptographic 
hash functions. More importantly, the specific counter-example they have pro- 
vided, correlation intractability, is at the core of the three-move ZK identification 
scheme to signature scheme conversion technique of Fiat-Shamir that we have 
used for constructing our proof. However, as yet we have not found any security 
weaknesses in the proposed scheme for authentication of encrypted messages by 
a network firewall due to the findings in ^ . 
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Abstract. Correlation intractable function ensembles were introduced 
in an attempt to capture the “unpredictability” property of a random 
oracle: It is assumed that if is a random oracle then it is infeasible 
to find an input x such that the input-output pair (x,R{x)) has some 
desired property. Since this property is often useful to design many cryp- 
tographic applications in the random oracle model, it is desirable that a 
plausible construction of correlation intractable function ensembles will 
be provided. However, no plausibility result has been proposed. In this 
paper, we show that proving the implication, “if one-way functions exist 
then correlation intractable function ensembles exist” , is as hard as prov- 
ing that “3-round auxiliary-input zero-knowledge Arthur-Merlin proofs 
exist only for trivial languages such as BW languages.” As far as we 
know, proving the latter claim is a fundamental open problem in the 
theory of zero-knowledge proofs. Therefore, our result can be viewed as 
strong evidence that the construction based solely on one-way functions 
will be impossible, i.e., that any plausibility result will require stronger 
cryptographic primitives. 

Keywords: One-way functions, correlation intractability, zero-knowledge, 
interactive proofs, round complexity, random oracle. 



1 Introduction 

In this paper, we investigate the relationship between one-wayness and correla- 
tion intractability. 

1.1 Realizing Random Oracles 

The random oracle model formulated in is a very useful for designing 

cryptographic schemes such as public key encryption and digital signature since 
the schemes in this model are often very simple and efficient; Moreover, the 
security analysis is often clearer than in real life. However, we do not have a 
general mechanism for transforming schemes that are secure in the random oracle 
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model into schemes that are secure in real life. For the purpose of realizing 
such transformations, Canetti started a research program aimed at identifying, 
defining and realizing the special-purpose properties of a random oracle 
He roughly sketched its two properties. One is “total secrecy” : It is assumed that 
if F(-) is a random oracle, F(x) gives no information on x. The other property 
is “unpredictability” : It is assumed to be infeasible to find an input x such that 
the input-output pair (x,F{x)) has some desired property. 

Canetti introduced a new primitive called “oracle hashing” (renamed “per- 
fectly one-way functions” in in an attempt to capture the total se- 
crecy Recently, it was shown that perfectly one-way functions can be 

constructed based on any one-way permutation On the other hand, 

Canetti, Goldreich and Halevi introduced another new primitive called “cor- 
relation intractable function ensembles” in order to capture the unpredictabil- 
ity They showed that there exist no correlation intractable function 

ensembles. However, their result leaves open the question of the existence of 
restricted correlation intractable function ensembles, where “restricted” means 
that each function will only be applied to inputs of pre-specified length. They 
described that it is interesting to either provide a negative result even for this 
special case or provide a plausible construction based on general complexity as- 
sumptions. In light of the above, it is important to investigate the relationships 
among restricted correlation intractable function ensembles and other crypto- 
graphic primitives such as one-way functions. 

This paper addresses the question of whether one can prove the implication 
that 



If one-way functions exist, 

then restricted correlation intractable function ensembles exist. 

Our answer is a negative one: It seems difficult to prove it. This negative rela- 
tionship between one-wayness and restricted correlation intractability is obtained 
by investigating the lower bounds for the round complexity of auxiliary-input 
zero-knowledge proofs. 



1.2 The Round Complexity of Auxiliary-Input Zero-Knowledge 

Zero-knowledge (ZK) protocols play a central role in modern cryptog- 

raphy. The round complexity, the number of messages exchanged, is a standard 
complexity measure for the efficiency of ZK protocols. The lower bounds for 
the round complexity have been investigated from the practical and theoreti- 
cal viewpoint so far. Goldreich and Oren showed that only languages in BW 
have 1-round GMR-ZK protocols where GMR-ZK is the original def- 
inition of ZK They also showed th at only la nguages in BW have 

2-round auxiliary-input ZK (AIZK) protocols Furthermore, Goldre- 

ich and Krawczyk showed that only languages in BW have 3-round blackbox- 
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simultion ZK (BSZK) protocols Since the proof in uses 

the notion of blackbox-simulation in an essential way, their result does not apply 
to the notion of GMR-ZK and AIZK. In fact, it is an interesting open problem 
whether there exists a 3-round ZK protocol for a non-trivial language with re- 
spect to GMR-ZK and AIZkJ 

In this paper, we focus on Arthur-Merlin (AM) protocols. Recall that in AM 
protocols, the (honest) verifier chooses all its messages at random, that is, all 
the messages sent by the verifier are public random coins . We consider 

the question of whether one can prove that 

there exist 3-round ZK (GMR-ZK or AIZK) AM proofs 
only for trivial languages such as BW languages. 



We believe that proving it unconditionally is a fundamental open problem in 
the theory of ZK proofs. However, it may be possible to prove it under some 
complexity assumptions. 

In 3-round AM protocols, a cheating verifier may choose its public-coin mes- 
sage (challenge message) as a cryptographic hash function value of the first 
message sent by the prover. Many researchers consider that the simulation for 
such a cheating verifier is difficult to do. Therefore, we naturally conjecture that 
assuming the existence of c^ptographic hash functions, only trivial languages 
have 3-round ZK protocols^ What can we show if we use restricted correlation 
intractable function ensembles as cryptographic hash functions ? We show that 
assuming the existence of restricted correlation intractable function ensembles, 
3-round AIZK AM proofs exist only for easy-to- approximate languages: We say 
that a language is easy to approximate if it can be recognized in probabilistic 
polynomial-time on average when the instance is generated from any polynomial 
samplable distribution. This triviality result is our main technical contribution. 
Furthermore, we show that, under a stronger assumption that there exist non- 
uniform restricted correlation intractable function ensembles, 3-round AIZK AM 
proofs exist only for BW languages. We also argue that our results extend to 
both the argument model and the constant round case. Therefore, we may say 
that our results complement the results of in the case of the AM pro- 

tocols although the complexity assumptions are required. 



1.3 Our Result and Related Works 

We show that proving the implication, “if one-way functions exist then correla- 
tion intractable function ensembles exist”, is as hard as proving that “3-round 

1 It is known that Cl{BSZK) C Cl{AIZK) C Cl{GMR - ZK) where Cl{def) 
denotes the class of all ZK protocols satisfying the requirements of definition def 

^ This problem was partially solved in 

® Nevertheless, Goldreich and Krawczyk showed that only languages in BW have 
3-round BSZK protocols without making any assumptions Their proof 

uses the blackbox-smulation of a (deterministic) cheating verifier which behaves as 
a random oracle. 
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AIZK AM proofs exist only for trivial languages.” As described above, whether 
one can prove the latter claim unconditionally is an open problem. Therefore, this 
can be viewed as strong evidence that it will be difficult to construct restricted 
correlation intractable function ensembles assuming only that one-way functions 
exist, i.e., that any plausibility result will require stronger cryptographic prim- 
itives. It is easily obtained by combining our triviality result of 3-round AIZK 
AM proofs with the result of Ostrovsky and Wigderson which shows 

that one-way functions are essential for non-trivial zero- knowledge proofs. 

The limits on the provable consequences of one-way functions were studied in 
Impagliazzo and Rudich showed that constructing a secure secret-key 
agreement protocol using any one-way permutation as a “blackbox” is as hard 
as proving V ^ MV . That is, it is highly unlikely that secret-key agreement pro- 
tocols can be constructed based on any one-way permutation. Recently, Simon 
showed that there is no “blackbox” reduction from one-way permutations to col- 
lision intractable hash functions QQ. We note that both results leave open the 
possibility of the existence of non-relativizing reduction from one-way permuta- 
tions to secret-key agreement protocols or collision intractable hash functions. 
In non-relativizing reductions, one can not only use a one-way permutation as 
a blackbox, but also use the actual programs for it. Our result can be viewed 
as a stronger type of limit since our result says that there can not seem to exist 
even a non-relativizing reduction from one-way functions to restricted correlation 
intractable function ensembles. 

1.4 Organization 

In Section 2, we give the definitions of interactive proofs, auxiliary-input zero- 
knowledge, restricted correlation intractability and the class of trivial languages. 
In Section 3, we show the triviality of 3-round auxiliary-input zero-knowledge 
AM proofs. Section 4 presents the negative relationship between one-way func- 
tions and restricted correlation intractable function ensembles using the triviality 
result in Section 3. We conclude with some remarks in Section 5. 

2 Preliminaries 

We say that a function v{-) : N ^ R is negligible in n if for every polynomial 
poly{-) and all sufficiently large n’s, it holds that iz{n) < l/poly{n). Also, we say 
that a function /(•) : N — > R is overwhelming in n if /(•) = 1 — v{-) for some 
negligible function v{-). We often omit the expression “in n” when the definition 
of n will be clear by the context. 

If S is any probability distribution then a; <— S' denotes the operation of 
selecting an element uniformly at random according to S. If S is a set then 
we use the same notation to denote the operation of picking an element x uni- 
formly from S. If A is a probabilistic machine then A{x\^ , Xk) denotes the 

output distribution of A on inputs {x\, X 2 , • • • , Xk)- Let Pr[i?i; R 2 ', ■ • ■ ; Rk ■ E] 
denote the probability of the event E after the random or deterministic processes 
i?i, i? 2 , ■ ■ ■ ,Rk are performed in order. 
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2.1 Interactive Proofs and Arguments 

We consider two probabilistic interactive machines called the prover and the 
verifier. The verifier is always a probabilistic polynomial-time machine. Initially 
both machines have access to a common input tape which includes x of length n. 
The prover and the verifier send messages to one another through two commu- 
nication tapes. After exchanging a polynomial number of messages, the verifier 
stops in an accept state or in a reject state. Each machine only sees its own tapes, 
namely, the common input tape, the random tape, the auxiliary-input tape and 
the communication tapes. Let A(x, y, m) denote the next message of the machine 
A, where x is the common input, y the auxiliary-input and m the messages so 
far. Let Acc(PJ',I4) denote the probability that V accepts the common input 
X when interacting with P which takes an auxiliary-input y. The probability is 
taken over the random tapes of both machines. 

We deal with two kinds of interactive protocols. One is “interactive proof’ 
and the other is “interactive argument” . The former requires that even a com- 
putationally unrestricted prover should be unable to make the verifier accept 
X ^ L, except with negligible probability On the other hand, the 

latter requires that any cheating prover restricted to probabilistic polynomial- 
time should be unable to make the verifier accept x ^ L, except with negligible 
probability Clearly, the notion of interactive arguments is a 

generalization of the notion of interactive proofs. 

Definition 1 (interactive proofs Let P,V be two probabilistic 

interactive machines. We say that {P,V) is an interactive proof /or L if V is a 
probabilistic polynomial-time machine and the following two conditions hold: 

— Completeness; For every polynomial poly(-), all sufficiently long x G L, 

Acc{Pj:, 14) > 1 - l/poly{\x\). 

— Statistical Soundness; For every machine P (the computationally unrestricted 
cheating prover), every polynomial poly(-), all sufficiently long x ^ L, 

Acc(Pa;,I4) < l/poly{\x\). 

Since the prover P is computationally unrestricted, the auxiliary-input to P is 
omitted. 



Definition 2 (interactive arguments ). Let P,V be two probabilis- 

tic polynomial-time interactive machines. We say that {P,V) is an interactive 
argument for L if the following two conditions hold: 



— Completeness; For every polynomial poly{-) , all sufficiently long x G L, there 
exists an auxiliary-input y such that 



Acc(P/, 14 ) > 1 - l/poly{\x\). 

— Computational Soundness; For every probabilistic polynomial-time machine 
P (the polynomial-time bounded cheating prover), every polynomial poly{-) , 
all sufficiently long x ^ L and every auxiliary-input y, 

Acc(PJ',I4) < l/poly{\x\). 
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2.2 Auxiliary-Input Zero-Knowledge 

We recall the definition of auxiliary-input zero-knowledge. A view of the verifier 
is a distribution ensemble which consists of the common input, the verifier’s 
auxiliary input, the verifier’s random coins and the sequence of messages sent by 
the prover and the verifier during the interaction. Let View(P 2 ;, V]f) = [a;, y, r, m] 
denote 17’s view after interacting with P, where x is the common input, y the 
auxiliary input to V, r the random coins of V and m the sequence of messages 
sent by P and V. 

Definition 3 (auxiliary-input zero-knowledge Let P, V be two 

probabilistic interactive machines. We say that {P,V) is an auxiliary-input zero- 
knowledge for L if for every probabilistic polynomial-time machine V (the cheat- 
ing verifier), there exists a probabilistic polynomial-time machine Sy (the sim- 
ulator) such that the following two distribution ensembles are computationally 
indistinguishable: 

{Sy{x,y)},^(zL,ye{o.i}» and {V\ew{P,,,Vy)},^(,L,yG{o.i}* ■ 

Namely, for every polynomial- size circuit family D — {Dx,y}x^L,y^{o.i}* > every 
polynomial poly{-), all sufficiently long x G L and all y G {0, 1}*, 

|Pr[u^S'y(a:,y) : D,,,y(r>) = l]-Pr[u^View(P^, (u) = l]| < . 

poly{\x\) 

GMR-ZK is defined in the same way, except that the verifier is not allowed to 
take an auxiliary-input y. We denote by ZJC (resp. AXZIC) the class of languages 
that have a GMR-ZK (resp. AIZK) interactive proof. Also, we denote by 3TZ- 
AXZIC-AAi the class of languages that have 3-round AIZK AM interactive 
proofs. 



2.3 Restricted Correlation Intractable Function Ensembles 

We review the definition of restricted correlation intractable function ensembles 
introduced in At the same time, we give its non-uniform variant. Let 

lim lout : N ^ N be length functions. 

Definition 4 (function ensembles). An lout-function ensemble is a sequence 
T = {PfcjfcgN of function family Fk = {fs : {0,1}* ^ {0, so 

that the following two conditions hold: 

Length requirement. For every s G {0,1}^ and every x G {0,1}*, \fs{x)\ = 

lout {h'j . 

There exists a polynomial-time algorithm Eval so that for 
all s G {0,1}^ and x G {0,1}*, Eval{s,x) = fs{x). In the 
sequel, we call s the seed of the function fg. 
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A machine M is called ^i„-respectful if |M(s)| = ^i„(|s|) for all s G {0, 1}*. 
A uniform (^i„, ^o„t)-function ensemble is a sequence {C//i„(fc),z„„t(fc)}fc6N, 

where is a set of all functions / : {0, !}'“('=) ^ {0, 

We say that a relation R is evasive if it is hard to find an input-output pair 
satisfying R under a truly random function (in the random oracle model) . Note 
that there is a relation which is easy to satisfy even in the random oracle model. 

Definition 5 (evasive relations). A binary relation R is evasive with respect 
to {knjout) if for every kn-respectful probabilistic polynomial-time machine M, 
every polynomial poly(-) and all sufficiently large k’s, 

Pr[0 ^ ^ ■■ GR]< 

Also, we say that R is non-uniformly evasive with respect to (fim lout) if the above 
condition holds for every lin-respectful polynomial-size circuit family M. 

A special case of evasive relations consists of i?’s for which for every polyno- 
mial po/y(-) and all sufficiently large fc’s, 

max {Pr[y ^ {0, : {x, y) G i?]} < ^ 

poly[k) 

We say that a function ensemble T is correlation intractable if, given any 
evasive relation R and a randomly chosen description of function fg, it is hard 
to find an input-output pair satisfying R under fg- 

Definition 6 (restricted correlation intractability). We say that an lout~ 
function ensemble T is (/„, ^oMt)-i'estricted correlation intractable if for every lin- 
respectful probabilistic polynomial-time machine M and every evasive relation R 
with respect to {kn,lout), every polynomial poly(-) and all sufficiently large k’s, 

Pr[s ^ {0, l}'^; x^ M{s): (a;, fg{x)) G R] < ■ 

Also, we say that an lout-function ensemble T is (^z„, ^o«t) -restricted non-uniform 
correlation intractable if the above condition holds for every lin-respectful poly- 
nomial-size circuit family M and every non-uniformly evasive relation R. 

Note that if lout{k) = O(logfc), there exist no (^z„, ^ottt)-i'estricted corre- 
lation intractable function ensembles. In the sequel, we always assume that 
az(logfc) < lout(k) < poly{k). Canetti, Goldreich and Halevi showed that if 
kn{k) > k — O(logfc) for infinitely many fc’s or if kn{k) -\- lout{k) > fc-l-w(logfc) 
for infinitely many fc’s, then there exist no (^z„, Gut)-restricted correlation in- 
tractable function ensembles However, their results leave open the 

question of the existence of restricted correlation intractable function ensem- 
bles, for the case kn{k) -\- lout{k) < k -\- O(logfc). Therefore, when we say that 
there exist restricted correlation intractable function ensembles, we mean that for 
any pair of length functions (/„, lout) such that kn {k) + ^out (fc) < fc -I- 0(log fc), 
there exists a (/„, Gttt)-i'estricted correlation intractable function ensemble. 
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Remark 1 Definition^quantifies over all evasive relations. A weaker 

notion, called restricted weak correlation intractability, is obtained by quantify- 
ing only over all polynomial-time recognizable evasive relations. 



2.4 The Class of Trivial Languages 

For any language L, we denote by \l the characteristic function of the language 
L, that is, xl{x) = ACC if a; G L and xl{x) = REJ otherwise. BW is a typical 
class of “trivial” languages. 

Definition 7 {BW). We say that a language L is in BW if there exists a 
prohahilistic polynomial-time machine A such that every polynomial poly{-) and 
all sufficiently long x’s, Pr[6 ^ A{x) : b = xl{x)] > 1 - poiy{\^ \ ) ■ 

The class of trivial languages is not only BW. We define the class of easy- 
to-approximate languages which is a variant of the class of hard-to- approximate 
languages defined in Definition 4.5.3 on p.l80]. 

Definition 8 {ETA). We say that a language L is easy to approximate if for 
every probabilistic polynomial-time machine S, there exists a probabilistic poly- 
nomial-time machine A such that every polynomial poly{-) and all sufficiently 
large n’s, Pr[a; ^ S{W)\b ^ A{x) : b = xl{x)] > 1 - where ^(l") 

ranges over {0, 1}". We denote by ETA the class of languages which are easy to 
approximate. 

BW requires that every instances in the language is easy to recognize. On 
the other hand, ETA only requires that it is infeasible to find an instance which 
is hard to recognize. Therefore, it holds that BW C ETA. 

3 The Complexity of 3-Round AIZK AM Proofs 

In this section, we prove that 3-round AIZK AM proofs exist only for trivial 
languages in ETA or BW. 

Theorem 1 {ETA Version). Assume that there exist restricted correlation in- 
tractable function ensembles. Then STZ-ATZJC-AAi C ETA. 

Proof. We assume that a language L has an AIZK AM interactive proof (P, V). 
In order to complete the proof, we have to show that L is easy to approximate. 

We use the following notation. Denote by x the common input for the protocol 
(P, V) and by n the length of x. The first message a is sent by the prover P. In 
the second round, the verifier V sends a challenge message /3. The third message 
7 is sent from the prover. We denote by la{n) and lf 3 {n) the length of a and 
/3, respectively. Without loss of generality, we assume that the honest verifier 
chooses P uniformly at random in {0,1}^'’*-”^. The predicate computed by the 
verifier in order to decide whether to accept or reject is denoted by pv{x, a, P, 7). 
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That is, V accepts x if and only if pv(x, a, /3, 7 ) = ACC. We note that pv may 
be a randomized function. 

Firstly, we select an (lin, lout)-restricted correlation intractable function en- 
semble T = {FfcjfceN and the seed length k such that lin{k) = la{n) and 
lout{k) = lp(n). We note that the length functions {kn, lout) must be selected so 
that they satisfy the condition fc-l-O (log fc) > kn{k)+lout{k). Since the verifier is a 
polynomial-time machine, there exist constants c, dsuch that la{n)+lp{n) < cn'^. 
We set k = cn'^ and select {kn, lout) such that kn{k) = la{{k/ c)^^'^) and lout{k) = 
lp{{k/c)^l‘^). As a result, the desired condition k + 0{logk) > k> kn{k) + lout{k) 
is satisfied. We note that a function is negligible and overwhelming “in n” if and 
only if it is negligible and overwhelming “in fc” , respectively. Therefore, even if 
we omit the expressions “in n” and “in fc” , there is no ambiguity. 

Next, we consider a (deterministic) cheating verifier V which uses the selected 
{kn, ^oui (“'^^stricted correlation intractable function ensemble T = {FfcjfceN (Tfc = 
{fs}s^ {o,i}fc) in order to compute the second message j3 from the first message 
a. The key idea is to let V use its auxiliary-input as a seed of T . 

Machine: The cheating verifier V. 

Input: The common input x of length n, the auxiliary-input y and the first 
message a. 

Output: The second message (i =V{x, y, a). 

CVl: V checks if y is of length k = cnf^. If this is false then V aborts. 

CV2: V computes j3 = fy{a) and outputs (3. 

Except for the computation of (3, V behaves in the same way as the honest 
verifier V . 

Since the language L has an AIZK interactive proof, there exists a simulator 
Sy for the cheating verifier V . We construct a probabilistic polynomial-time 
machine A which uses Sy to recognize L. 

Machine: A which tries to recognize L. 

Input: The common input x of length n generated by a probabilistic polynomial- 
time machine S on input 1”. 

Output: ACC or REJ. 

Stepl: A generates a seed s uniformly at random in {0, 1}^, where k = cn'^. 
Step2: A runs Sy{x, s) to get a view [a:, s, —, {a, (3, 7 )], where the random coins 
in the view of V are empty since it is deterministic. 

Step3: A outputs pv{x,a, (3,^). 

To complete the proof, we need to show that if x € T then A outputs ACC 
with overwhelming probability, otherwise A outputs REJ with overwhelming 
probability. That is, we need to show that for every probabilistic polynomial- 
time machine S, 

Pr [x ^ ^(l"); b ^ A{x) : b = xl{x)] 
x^5(l");s^{0,l}'=; 

-, {a, P, 7 )] ^ Sy{x, s); b ^ pv{x, a, /3, 7 ) ’ ^ 



= Pr 



x,s. 
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is overwhelming. Note that pv may be a randomized function. 



The case of a; ^ L. This part of the proof uses the soundness of the protocol 
(P, V) and the correlation intractability of T . 

We consider a relation R\ defined as follows: (a, /3) G R\ if and only if there 
exists 7 such that Pr [6 ^ pv{x,a, P,j) : b = ACC] is overwhelming. Roughly 
speaking, (a, (3) G is a prefix of an accepting conversation on x ^ L. We claim 
that Ri is evasive with respect to {limlout)- It follows from the soundness. The 
soundness requires that for every polynomial po^y(-) and all sufficiently large n’s, 



max {Pr[/3 <— {0, ^ ^ 



1 

poly{n) ' 



Since k = cn'^, for every polynomial poly(-) and all sufficiently large k’s, we have 



max {Pr[/3 <— {0, 0 ^ g < 

ae{0,l}g^(fc) 



1 

poly{k) ' 



This means that R\ is evasive. 

Next, we claim that the probability 

Pr[a; ^ s ^ {0, 1}'"; [a;, s, -, (a, /?, 7 )] ^ Sy{x, s) : (a, /3) G Pi] 



is negligible. This means that the view output by Sy in Step2 is accepting with 
negligible probability. Assume that the above probability is not negligible. Then 
we can construct a probabilistic polynomial-time machine M which violates the 
correlation intractability of T . 



Machine: M which violates the correlation intractability of T . 

Input: The seed s chosen uniformly at random in {0, 1}^. 

Output: (a,/3) 

Ml: M runs 5(1”) in order to generate x, where n = (kjc)^^'^ . 

M2: M runs Sy{x, s) in order to get a view [x, s, (a, 13, 7 )]. 

M3: M outputs (a,P). 

Clearly, the probability that M outputs (a, (3) G Pi is not negligible. This con- 
tradicts the correlation intractability of T since Pi is evasive. Therefore, we 
conclude that A outputs REJ with overwhelming probability. 



The case of x G P. This part of the proof uses the completeness, the zero- 
knowledge property of the protocol (P, V) and the correlation intractability of 
T. 

We consider a relation P 2 defined as follows: {a, (3) G P 2 if and only if a 
is a possible first message of the prescribed prover and for every 7 , Pr [6 <— 
py(x,a, /3, 7 ) : b = REJ] is overwhelming. Roughly speaking, {a, (3) G P 2 is a 
prefix of a rejecting conversation on x G P. We claim that P 2 is evasive with 




92 



S. Hada, T. Tanaka 



respect to (/„, lout)- It follows from the completeness. The completeness requires 
that for every polynomial po^?/(-) and all sufficiently large n’s, 



max {Pr[/3 ^ {0, : (a, /3) G E 2 ] < 



1 

poly{n) 



}■ 



Since k = cn'^, for every polynomial po/y(-) and all sufficiently large fc’s, 



max {Pr[/3 <— {0, g < 



1 

poly{k) 



}■ 



This means that R 2 is evasive. We remark that if R 2 does not require that a is 
a possible first message of the prescribed prover, R 2 is not necessarily evasive. 

Next, we claim that the view of V interacting with the honest prover P is ac- 
cepting with overwhelming probability (or rejecting with negligible probability) 
when X is generated by ^(l") and y is randomly chosen from {0, 1}^. Assume 
that the probability 



Pr 



_ [a;, y, (a, /3, 7 )] ^ y\ew{P^, b ^ pv{x, a, (3, 7 ) 



: b = REJ 



( 1 ) 



is not negligible. By the definition of R 2 , this assumption means that the prob- 
ability 



Pr 



. [x, y, (a, A 7)] ^ Vtew{p^, yy) 



: (a,P) G i?2 



is not negligible. Then we can construct a probabilistic polynomial-time machine 
M which violates the correlation intractability of P. 



Machine: M which violates the correlation intractability of T . 

Input: The seed s chosen uniformly at random in {0, 1}^. 

Output: (a,/3) 

Ml: M runs ^(l") in order to generate a;, where n = {kjc)'^/'^. 

M2: M runs the simulator Sy{x,s) in order to get the first message a. 

M3: M runs the cheating verifier V (x, s, a) in order to get the second message 
13. 

M4: M outputs (a,/3). 

Since the zero-knowledge property of (P, P) guarantees that the first message a 
output by S-y in M2 is computationally indistinguishable from a real first message 
sent by P, the output distribution of M is computationally indistinguishable 
from the {a, /3) distribution of View(Pa;, P^). This means that the probability 
that M outputs (a,/3) G R2 is not negligible. Therefore, this contradicts the 
correlation intractability of P since R 2 is evasive. 

Now we know that when the input x is generated by and y is ran- 

domly chosen from {0,1}^, the view of P interacting with P is accepting with 
overwhelming probability. That is, the probability of equation Q is negligible. 
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Since the zero-knowledge property guarantees that the view output by Sy is 
computationally indistinguishable from View(Pa;, V]f), it holds that 



Pr 



[a;, y, (a, /3, 7 )] ^ Sy(x, y); b ^ pv{x, a, /3, 7 ) 



: b = REJ 



(2) 



is negligible. Therefore, we conclude that A outputs ACC with overwhelming 
probability. 

Theorem ^follows from the claims in two cases. □ 

In Section 4, we need the special case of Theorem ^ We denote by 3TZ- 
AX ZJC-AAi[la, Ip] the class of languages that have 3-round AIZK AM proofs in 
which the first and second messages are of length la{n) and lp{n), respectively. 

Theorem 2. Assume that there exist (la,lp)~'^sstricted correlation intractable 
function ensembles. Then 3TZ-ATZIC-AA4[la,lp] Q ETA. 

Proof. In the proof of Theorem^ consider the special case in which the length 
functions {la, Ip) satisfy the condition n + O(logn) > la{n) + la{n). Since it is 
sufficient to set k = n, kn = la and lout = Ip, it follows. □ 

Next, we strengthen Theorem J using the assumption of the existence of 
restricted non-uniform correlation intractable function ensembles. 



Theorem 3 {BW Version). Assume that there exist restricted non-uniform 
correlation intractable function ensembles. Then 3TZ-ATZIC-AM—BVV . 



Proof It is clear that BW C 3TZ-AXZIC-AM. The proof of 3TZ-AXZIC-AM 
C BW is essentially equivalent to the proof of Theorem Q except that the 
input X is given non-uniformly. However, this non-uniformly given input can be 
dealt with by the non-uniformity in the definition of the non-uniform correlation 
intractability. □ 



Remark 2. Both Ri and R 2 can not be recognized in probabilistic polynomial- 
time. Therefore, assuming the existence of restricted weak correlation intractable 
function ensembles is not sufficient for TheoremHOandH 

Remark 3 (Interactive Arguments). We show how to generalize the proof of The- 
orem Jand^in order to obtain the same results in the argument model. R 2 
remains evasive in the setting of interactive arguments since the evasiveness of 
i ?2 relies on the completeness, but not on the soundness. Therefore, the proof of 
the part x G L automatically holds for interactive arguments. On the other hand, 
Ri is not always evasive in the setting of interactive arguments since the eva- 
siveness of Ri relies on the statistical soundness. Therefore, we need to modify 
Ri as follows: {a, (3) € R\ if and only if for every probabilistic polynomial-time 
machine P and every y, the probability 

Pr[ 7 ^ Pf{a,/3);b^ pv{x,a,/3,^) : 5 = ACC] 

is overwhelming. If we use this evasive relation Ri, the proof of the part x ^ L 
holds for interactive arguments. 
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Remark 4 (Constant Round Case). Our results extend to the constant-round 
case. But we need to generalize the evasiveness and the correlation intractability 
to deal with multiple input-output pairs rather than a single pair. We omit the 
details here. 

4 One-Wayness and Restricted Correlation Intractability 

In this section, we show the negative relationship between one-way functions and 
restricted correlation intractable function ensembles. We start by reviewing the 
result of Ostrovsky and Wigderson 

It is well-known that assuming the existence of non-uniform one-way func- 
tions, it holds that AfV^ ZJC Ostrovsky and Wigderson considered 

the question of whether this sufficient condition is also necessary. They showed 
that the existence of zero-knowledge interactive proofs for languages outside 
£TA implies the existence of one-way functions (but not of non-uniform one-way 
functions) . 

Definition 9 (one-way functions). A function f : {0, 1}* ^ {0, 1}* is one- 
way if the following two conditions hold: 

Easy to compute There exists a (deterministic) polynomial-time machine A so 
that on input x, A outputs f{x). 

Hard to invert For every probabilistic polynomial-time machine A! , 
every polynomial poly(-) and all sufficient large n’s, Prfa; ^ 
{0, 1}"; y = fix); x' ^ A!{y) : y = f(x')] < ^ 57 ^- 



Theorem 4 (| 



I). Assume that there exists a ZJC language outside ETA. 



Then there exist one-way functions. 



Now we show that the negative relationship is obtaind by combining Theorem 
Hand Theorem^ 

Theorem 5. For any pair of length functions {lin, lout), proving the implication, 
“if one-way functions exist then ikn, lout)~restricted correlation intractable func- 
tion ensembles exist”, is as hard as proving 3TZ-ATZlC-AM[limlout\ C ETA. 

Proof. Let ikn,lout) be any pair of length functions. Recall that 3TZ-AIZJC- 
AM[linJout] C AIZIC C ZJC. Therefore, Theorem Hsays that assuming that 
there exists a 3'JZ-AIZJC-AM[lin,lout] language outside ETA, one-way func- 
tions exist. On the other hand, Theorem H says that if there exist {limlout)- 
restricted correlation intractable function ensembles, it holds that 3TZ-AIZJC- 
AJA[lin, lout] C ETA. 

* Furthermore, it is well-known that IV— ZJC— V SPACE assuming the existence of 
non-uniform one-way functions 
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Assume that if one-way functions exist then ^ottt)-restricted correlation 
intractable function ensembles exist. Then, it follows that if there exists a 3TZ- 
lout\ language outside SZA., then 3'lZ-AIZK,-AM.[limlout\ C 
STA. This means that it unconditionally holds that 3TZ-AIZJC-AAi\lim lout\ C 
ETA. □ 

Theorem Q does not imply the non-existence of restricted correlation in- 
tractable function ensembles. There may exist one-way functions and restricted 
correlation intractable function ensembles, simultaneously. 

As mentioned above, the assumption of the existence of restricted weak corre- 
lation intractable function ensembles is not sufficient for the triviality of 3-round 
AIZK AM proofs. Therefore, Theorem Jdoes not extend to restricted weak cor- 
relation intractable function ensembles. 

5 Concluding Remarks 

In this paper, we have shown that assuming the existence of restricted corre- 
lation intractable function ensembles, 3-round AIZK AM protocols exist only 
for trivial languages. Our proof uses the verifier’s auxiliary-input in an essential 
way: The auxiliary-input of the cheating verifier is used as the seed of restricted 
correlation intractable function ensembles. Therefore, our result does not apply 
to the notion of GMR-ZK. One may think that if we define the restricted corre- 
lation intractability in a single-function model, we can prove an analogous result 
with respect to GMR-ZK. However, as described in such functions do 

not exist. 

Using the above triviality result, we have shown that, for any pair of length 
functions (hmlout), proving the implication, “if one-way functions exist then 
Gtti)-restricted correlation intractable function ensembles exist”, is as hard 
as proving 3TZ-AIZ]C-AM.[linJout\ O ETA. We believe that proving the latter 
claim unconditionally is a fundamental open problem in the theory of ZK proofs. 
Therefore, this can be viewed as strong evidence that it will be difficult to con- 
struct restricted correlation intractable function ensembles assuming only that 
one-way functions exist. It is interesting to investigate how hard it is to prove 
that 3TZ-AJZK.-AM.[limlout\ Q ETA without making any assumptions. 
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Abstract. As the blind signature introduced by Chaum [10] does not re- 
veal any information about the message or its signature, it has been used 
for providing the anonymity in secure electronic payment systems. Unfor- 
tunately, this perfect anonymity could be misused by criminals as blind 
signatures prevent linking the withdrawal of money and the payment 
made by the same customer. Therefore, we should provide publicly ver- 
ifiable mechanism if it is required for the judge to trace the blackmailed 
messages. In this study, we propose a modified fair blind signature, which 
additionally provides the role of message recovery. After analyzing the 
existing meta-ElGamal scheme [12] suggested by Horsier, the model of 
message recovery blind signature is considered at first. And we suggest 
a new fair blind signature based on the oblivious transfer protocol, with 
which a judge can verify its fairness. Proposed scheme can be advanced 
into the blind multi-signature and it is also applicable to the diverse 
payment applications. 



1 Introduction 

Both the anonymity and prevention of double spending must be considered for 
implementing secure electronic cash based on public key cryptosystem [1,2] . Since 
the existing proposals of electronic payment systems such as Chaum [3] and 
Brands [4,5] provide perfect anonymity, they could be misused by criminals. 
Concretely, as a blind signature scheme introduced by Chaum [10] provides per- 
fect unlinkability, it can be used for providing anonymity in electronic payment 
systems. However, as a blind signature prevents linking the withdrawal of money 
and the payment made by the same customer, this anonymity could be misused 
by criminals [6,7]. Provided perfect unlinkability, double spending problem can 
be happen as a “side-effecf . 

Therefore, it would be useful if the anonymity could be removed with the help 
of a trusted entity, when this is required for legal reasons. A judge as a trusted 
entity can verify the message-signature pair if necessary. We must pursue a 
similar mechanism for electronic payment system by considering a new publicly 
verifiable type of fair cryptosystem. By running the link-recovery protocol, the 
signer obtains information from the judge and he can recognize the corresponding 
protocol view and message-signature pair. Using this fair blind signature [18], 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 97-^^| 1999. 
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both the confidence and the fairness can be enhanced in the signed message of 
electronic payment system. 

In this study, we propose a new fair blind signature with the investigation of 
the essential blind signature for implementing electronic payment systems. The 
model of message recovery blind signature scheme is suggested by the trans- 
formation of existing Horsier scheme [11,12,13,14]. And it is also modified into 
a fair blind signature scheme using the properties of oblivious transfer protocol 
[15,16]. Proposed scheme does the pre-registration processes for providing fair- 
ness on each entities with the relations of the trusted entity. Proposed scheme 
can be advanced into the blind multi-signature and it is also applicable to the 
diverse applications. 

We first present the Horsier’ s scheme with common concepts of blind signa- 
ture and review the existing fair blind signature in section 2 and 3 respectively. 
We then propose message recovery fair blind signature that is to make the most 
of the characteristics of oblivious transfer protocol in section 4. Furthermore, 
we compare suggested scheme with existing one in section 5 and conclude this 
study with the consideration of the future works in final section. 

2 Message Recovery Blind Signature 

2.1 Definition of Blind Signature 

Blind signature scheme, first introduced by Chaum [10], is a protocol for obtain- 
ing a signature from a signer such that the signer’s view of the protocol cannot 
be linked to the resulting message-signature pair. Unlinkability means that we 
can’t find any relations for linking the message and its signature between the 
signer and the sender by whom transaction of blind signature is done. In other 
words, blind signature scheme is an important cryptographic tool for realizing 
systems with which the signer B can issue such a credential without obtaining 
any useful information about neither the pseudonym of sender A nor the issued 
credential. 

Sender A receives a signature of B as a blinded message. From this, A com- 
pute B’s signature on a message m chosen a priori by A. B has no knowledge 
of m nor the signature associated with m. B’s RSA public and private key are 
(n,e) and d respectively, fc is a random secret integer chosen by A satisfying 
0 < k < n — 1 and gcd(n, k) = 1. Blind signature can be applicable to the 
diverse applications. In electronic payment systems, message m means the A’s 
electronic cash. This may be important in electronic cash applications where 
a message m might represent a monetary value which A can spend. When m* 
and are presented to B for payment, B is unable to deduce which party was 
originally given the signed value. This allows A to remain anonymous so that 
spending patterns cannot be monitored. 

The Horster’s meta-ElGamal scheme [12] has developed existing blind signa- 
ture with ElGamal [9]-type cryptosystem, which provides secure blind scheme 
based on the difficulty of primitive discrete logarithm problem. In this study, we 
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propose the message recovery blind signature based on the Horster’s scheme and 
generalize it into customized model. Furthermore, we can develop this scheme 
to the modified fair blind signature scheme by analyzing this model. 



2.2 Model of Message Recovery Blind Signature 

The definition of blind signature that provides message recovery is as follows. 
Although the key generation algorithm is similar with common blind signature, 
the interactive protocol provides additional message recovery functions itself. 



Definition 1. Message recovery blind signature {SKG, IPmr, VerMR)- 

— SKG: A signature key generation algorithm for public/private key pair {x,y). 

— IPmr- An interactive blind signature protocol {sender (m,y), signer(x)) which 
provides message recovery between the sender and the signer. On sender’s 
input of message m and signer’s public key y, signer inputs his private key 
X. Signer transfers blind signature s = sender{m, y) signer{x) to the sender. 

— VerMR'- A signature verification algorithm which outputs accept on input a 
public key y, a signature s, if s is a valid signature of the message m with 
respect to the public key y, and otherwise outputs reject. 

Model of message recovery blind signature is as follow Fig.H 
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Fig. 1. Model of blind signature protocol providing message recovery. 



Based on this generalized model, we will review a new blind signature pro- 
viding verification by public entity and enhance it into fair signature scheme. 
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3 Fair Blind Signature 

3.1 Model of Stadler's Fair Blind Signature [18] 

A fair blind signature scheme introduced by Stadler is a blind signature scheme 
with an additional algorithm which publicly verifies blinded message and also 
makes it possible to selectively revoke the “blindness” of the scheme. On the 
message-signature pair generated between the sender A and the signer B, trusted 
entity J can associate those blinded information. Model of Stadler’s fair blind 
signature defines the revocation key generation algorithm RKG and the secret 
key generation algorithm SKG. And it also suggest the blind signature protocol 
IP between the sender and the signer and the verification protocol Ver. For 
extracting the linkability, revocation algorithm R is defined. Concrete model of 
Stadler’s fair blind signature is as follow definition. 



Definition 2. Stadler’s fair blind signature {RKG, SKG, IP, Ver, R). 

— RKG: A probabilistic revocation key generation algorithm. It outputs a 
random secret/public revocation key pair. 

— {SKG{yR),IP,Ver): A protocol of fair blind signature. It does the blind 
signature on yn if the corresponding secret revocation key is not known. 

— R{xr, . . .): A revocation algorithm with one or both of the following prop- 
erties. 

• typej: Given the signer’s view of the protocol, the judge delivers infor- 
mation that enables the signer to efficiently recognize the correspond- 
ing message-signature pair. On input the secret revocation key and the 
signer’s view View{Signer{x)sender(m,y), R outputs a linkable value to 
the corresponding message-signature pair (m,s). 

• typej j: Given the sender’s view of the protocol, the judge delivers infor- 
mation that enables the sender to efficiently recognize the correspond- 
ing message-signature pair. On input the secret revocation key and a 
message-signature pair (m,s), R outputs a linkable value to the corre- 
sponding the signer’s view View{Signer{x)sender(m,y)- 

Using this link revocation protocol, the judge can associate the signer’s sig- 
nature according to the sender’s message. There are two type of revocations in 
proposed protocol, typej and typej j. Judge can extract the illegal withdrawal 
and perceive the double spending using those revocations respectively in elec- 
tronic payment systems. Goncrete model of Stadler’s scheme is as follow Fig.fl 

3.2 StadlePs Fair Blind Schemes 

Stadler had proposed both a fair blind signature scheme based on Chaum’s blind 
signature [10] with the well-known cut-and-choose method and a variation of the 
Fiat- Shamir signature scheme [8] . We define the former as a Stadler-GG and the 
latter as a Stadler-FS scheme. 

First of all, the Stadler-GG scheme applies the Chaum’s blind signature with 
RSA methods using cut-and-choose. Unfortunately, this fair blind signature 
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Fig. 2. Model of Stadler’s fair blind signature. 



scheme is inefficient as a large amount of data is exchanged during the sign- 
ing protocol and the resulting signature is long for providing typej and typeu 
verification processes. More efficient implementation is the Stadler-FS. 

Stadler-FS scheme is based on the concept of fair one-out-of-two oblivious 
transfer f-OTf , which uses the property of quadratic residue in the generation 
step of blind signature with a variation of the Fiat- Shamir signature scheme [8] . 
However, Stadler’s scheme does not provide the message recovery facility. In this 
study, publicly verifiable fair blind signature is proposed based on the model of 
message recovery signature scheme. 



4 Proposed Message Recovery Fair Blind Signature 

Suggested fair blind signature scheme provides publicly verifiable process on 
signed message if the trusted entity want to certificate blind signature. The 
concrete processes of registration protocol and the message recovery fair blind 
signature is as follows. 

4.1 Model of Registration for Fair Blindness 

For providing fairness, publicly verifiable functions must be provided by the 
trusted entity. Therefore, the sender A does the pre-registration processes to the 
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trusted entity and receive the secrets used for fair blind signature. The signer 
performs blind signature on sender’s message and returns this signed message 
to the sender. We can define the registration protocol. 



Definition 3. Registration protocol for fair blind signature RP. 

— RP: An interactive registration protocol (sender (6 ,y) ,judge(x) ) which pro- 
vides the secrets required for blind signature between the sender and trusted 
entity. 

The sender inputs his own random secret 5 and trusted entity’s public key 
y. Trusted entity returns registration results v’ = sender{5, y) judge{w ,x) on input 
of the secret key x. From the response v\ the sender gets the secret v that can 
be used in fair blind signature. Both the sender’s 5, v and the trusted entity’s 
c, w’come under the basic information for confirming their fairness. The value c 
contains the publicly verifiable information of the trusted entity. We can depict 
the registration protocol as follow Fig.^ 
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Fig. 3. Pre-registration protocol model for fair blind signature. 



4.2 Model of Message Recovery Fair Blind Signature 

We can enhance the existing fair blind signature into the message recovery 
scheme based on the Horster’s mechanism. Using pre-registration protocol, the 
trusted entity allocates the secrets for fairness to the sender. And by the key 
generation algorithm, the signer receives his secret key. Additionally, a verifiable 
fair blind function can be defined by this suggested interactive signature pro- 
tocol with message recovering facility. The Fig. J shows the model of fair blind 
signature providing message recovery. 



Definition 4. Message recovery fair blind signature {RP, SKG, FIPmr, R, 
FVerMR)- 
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SKG: Public/secret key generation algorithm based on the registration pro- 
tocol RP. 

FIPmr- An interactive fair blind signature issuing protocol involving a 
sender and a signer for message recovery. The sender’s inputs are a value 
V generated in registration process and a message m and a public key y. The 
signer’s inputs are the information c for fair protocol and a corresponding se- 
cret key X. The signer sends his blinded message s = sender {v, m, y) signer(c,x) 
to the sender. 

R\ A revocation algorithm on blind signature with one or both of the fol- 
lowing properties, rj on typej and rjj on typeu . 

• rp. From the signer’s signature (m* ,s*), the trusted entity J can associate 
the sender’s message (m,s). 

• rif. From the sender’s signature (m,s), the trusted judge J can associate 
the signer’s message (m* ,s* ). 

FVerMnif, Hi s)' A fairness verification algorithm that confirms the over- 
all blinded signature if s is a valid signature of the message m with respect 
to the revocation information r and the public key y. 



RP 

(V, JM., Jj) 



Oblivious Transfer SKG 

(c,x) 




rn FV^rmi rii , s) FVer^Ri rj , j>, , s') rj 




Fig. 4. Proposed model of message recovery fair blind signature. 
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4.3 Registration Steps for Fair Blindness 

In this study, proposed signature scheme based on Horster’s protocol does the 
registration steps at first for generating fair signature. The sender A performs 
the registration with the trusted entity J as follow sequences. 

Step 1: Request for registration. 

— The sender A generates random secret G Zq. 

— A sends both a, 6 = modp and identity information ID a to the 
trusted entity J for requesting his registration. 

Step 2: Registration. 

~ Trusted entity J generates both a Vj,vi-j G Zq used for fair signature 
process and random wj G Zq, which satisfies tj mod g’"-' modp. 

~ J stores the A’s ID a, 5 and revocation keys Vj, v\-j in his database. 

— J computes c = h{5 ■ Vj || S ■ vi-j || tj) using hash function on the keys 

— Trusted entity generates sj based on the Schnorr signature scheme and 
sends the message {5 ■ Vj, 5 ■ v\-j, Sj, c) to A. 

Step 3 : Verification of registration. 

— A verifies Ts message using his own random S and gets the revocation 
keys Vj, vi-j on it. 

— As the value c will be used in the [3j, Pi~j of oblivious transfer protocol, 
we can fairly verify the message-signature pair in the end. 

The Fig.^shows the detailed registration steps of our proposed scheme. 



(Proof) Verification of uj = 5 ®-^ y '^modp. 

uj = = tj mod p 

c' = h{S ■ Vj II S ■ vi-j II uj) = h{S ■ Vj II S ■ vi-j || tj) = c 

4.4 Modified Message Recovery Fair Blind Signature (Mo-MR-FBS) 

Both a sender and a signer interact for generating fair blind signature after those 
registration processes. In this study, we apply the concept of oblivious transfer to 
the blind signature for providing fairness on signed message. The concept of an 
oblivious transfer was introduced by Rabin [15]. As A send m bits in a message 
to B in 50% probability. The A does not know which bits were sent. A has two 
string So, si. A encrypts one of his strings and message m with B’s public key Pb- 
And A sends this to B. B decrypts it and extracts one out of the strings sq or si 
using his private key. However, A will not know which one out of the two B got. 
In this study, we use this as an intermediation for providing fair verification by 
trusted entity. Proposed message recovery fair blind signature scheme uses the 
secrets Vj,v\-j received from the trusted entity for doing its oblivious transfer 
protocol. Detail processes are as follows with Fig.^ 
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Vj = mod i> xj 
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Fig. 5. Registration protocol on trusted judge J. 



Step 1 : Initial oblivious transfer. 

— The sender A generates f3j, Pi-j using the revocation keys Vj,v\-j. 
j3j = g’'j+’' 1 -J modp, Pi-j = c- ^ modp 

— A sends the Pj,Pi-j to the signer B. 

Step 2 : Generation of fair blind parameters. 

— The signer B verifies received values c = j3j ■ Pi~j modp and checks 
whether it is same with that value stored in trusted entity’s database. 

— The signer generates his own random secrets z*,z*_j G Zq. 

— B sends the blind parameters Xq, A* and 70 , 7i to A. 

A* = modp, A*_^ = g^^~^ modp 

7 j = mod p, 71 mod p 

Step 3: Sending of blinded message. 

— The sender A generates Vj and m* on his own message m. 

Tj = m~^{X*Y^y'’^~^ modp, m* = v~^ ■ (rj — vi-j) — X* mod q 

— A sends m* to the signer B. 

Step 4: Generation of blinded signature. 

— The signer B generates blind signature s* on the m*. 



s* = X ■ {m* + Xj) - z* mod q 
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— B sends it to the sender A. 

Step 5 : Verification of fair blind signature with message recovery. 

— Sender A computes Sj for recovering the message from the signer’s s*. 

Sj = Vj ■ s* mod q 

— A calculates m = rj^ modp for verifying its signature. 
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Fig. 6. Modified Horster-type message recovery fair blind signature (Mo-MR- 
FBS). 



(Proof) Verification of m = g ^ modp. 
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= m mod p 

5 Analysis of the Proposed Schemes 

5.1 Fairness of the Proposed Schemes 

Verifying the fairness of proposed scheme, we overview each revocation types 
of r/ on typej and rjj on typeij. Trusted entity J can associate the signer’s 
signature (m*, s*) with the signer’s message (m, s) by using revocation function 
r/. And J can do it in reverse order by the rjj function. As s* and Sj have 
relation of Sj = Vj • s* mod q with follow equations, we can associate signer’s 
message (m*, s*) with its correspondence. 

Tj = m~^ ■ ■ y'"^~^ mod p, Vj = Vj ■ (m* + + vi-j mod q 

m = {vj ■ {m* + \*) + vi-j)~^{\*y^y''^-^ mod p 

Sj = Vj ■ Sj mod q 

= Vj ■ {x ■ {m* + Xj) — Zj) mod q 
= Vj ■ (x ■ (v~^ ■ (vj - vi-j)) - Zj) mod q 
= X ■ {vj — Vi-j) — Vj ■ Zj mod q 

Moreover, the trusted entity can link the sender’s message (m, s) with m* 
and Sj using his own secrets as follows. The trusted entity can publicly verify 
the blinded signature s* using the signer’s secret x and his random variable 
Zj. However, this typej j verification can be provided by the additional pre- 
processing between the trusted entity and the signer. 

m* -I- A* = v~^ ■ (vj — vi-j) mod q, s* = x ■ vj^ ■ {vj — v\-j) — z* mod q 

5.2 Security of the Proposed Schemes 

The registration protocol is secure as Schnorr signature scheme. Trusted judge J 
uses hash function on the keys Vi, vi-j for sending revocation keys based on the 
discrete logarithm problems. As the sender generates his own random number 
SA & Zq, a, forger can’t get any information about S without knowing 5^4. Thus 
the calculation of s.4 seems to be as difficult as the computation of the discrete 
logarithm logg{5). Additionally, as the value c in registration protocol is used 
in the initial parameters of oblivious transfer protocol, we can fairly verify its 
correctness in message-signature pair by calculating c = / 3 j ■ Pi-j modp. 

We can assume that the security of the proposed message recovery fair blind 
signature (Mo-MR-FBS) is similar to the meta-ElGamal signature scheme. The 
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security analysis for a total break of the signature scheme and universal forgery of 
messages can also be adapted from the meta-ElGamal scheme. Proposed scheme 
uses oblivious transfer protocol and generates fair blind parameters. An attacker 
can choose signature parameters at random and calculate the corresponding 
values. To avoid a total break of the proposed scheme, the forger can randomly 
choose the secrets then attempts to find 7 j, 7 i_j. In this method, the 

forger must solve the discrete logarithm of 7 j = mod p. These computations 
are extremely difficult and it’s still an open question whether it is more difficult 
than solving the discrete logarithm problem. 

5.3 Extensions of the Proposed Schemes 

We can extend the proposed scheme into message recovery fair blind multisigna- 
ture (Mo-MR-FBMS) . As the Mo-MR-FBMS provides message recovery facility 
on the signatures of multiple users, the registration step of this scheme is similar 
with that of the Mo-MR-FBS. The sender merely generates message with addi- 
tional hash function and multiple signers sign on it. Finally, the sender verifies 
those multisignature with rehashing function. 

Using secret vj,vi-j from the trusted entity, the sender A sends f3j,f3i-j to 
the k number of Bj. Fach signer Bj verifies c = (3j ■ Pi~j modp whether it is 
equal to the value generated by the trusted entity. And then each Bj generates 
their own secrets Zg.j,Zg.^_j G Zq. The sender computes mi(l < i < k) for 
each signer Bi, which satisfies the equation m = h{mi || i). On the signer’s 
signature the sender A calculates nii and applies hash function on it as 

follow equation. If m! is equal to m, we can accept overall multisignature as 
correct one. 

k k 

m' = h{m'i II i)(l < i < modp 

i=l i=l 

Message recovery fair blind signature generates precise blindness without 
leaking any information on the sender’s message such as digital cash when it 
is used for electronic payment systems. In verification steps on signed message, 
the sender regenerates same message with his own one. Therefore, this message 
recovery scheme has an advantage in managing the amount of electronic cash on 
the payment systems such as micropayment frameworks. 

5.4 Performance Analysis of Proposed Schemes 

Stadler-CC and Stadler-FS schemes are fair blind signature based on the secu- 
rity of RSA [2] and Fiat-Shamir [8] respectively with the difficulty of factoring 
problem. Stadler-FS provides typej verification on its fairness, although it also 
can be modified into message recovery scheme. 

Proposed Mo-MR-FBS scheme has its security on the difficulty of discrete 
logarithm problem such as ElGamal [9]. Mo-MR-FBS also secures as meta- 
ElGamal [12] scheme. However, suggested scheme applies oblivious transfer pro- 
tocol to both the key generation and blind signature transactions only once after 
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the registration steps on its preprocessing with trusted entity. Therefore, pro- 
posed scheme has efficiency in the amount of computations and communication 
bandwidth than existing Stadler-FS protocol, which repeatedly applies oblivious 
transfer scheme in overall blind signature processes. Mo-MR-FBS provides both 
the typej and the typeu verification with trusted entity. We can compare the 
performance of fair blind signature as follow Table 1. 



Table 1. Property comparison of fair blind signature. 



Items/Methods 


Stadler-CC 


Stadler-FS 


Mo-MR-FBS 


Mo-MR-FBMS 


Primitive 


RSA 


Fiat-Shamir 


ElGamal 


ElGamal 


Problem 


Factoring 


Factoring 


Dis. Log. 


Dis. Log. 


Message Recovery 


X 


A 


o 


o 


Fair Blind Multisignature 


0 


A 


A 


o 


Fair Cryptosystem 


0 


A 


A 


A 


Additional Cryptosystem 


Cut and 


Oblivious 


Oblivious 


Oblivious 


for Fairness 


Choose 


Transfer 


Transfer 


Transfer 


Applying Step 


Signature 


Signature 


Initial 


Initial 


of Fairness 


Step 


Step 


Step 


Step 


Secret Sharing 


X 


A 


A 


A 


Types of Fairness 


I/II 


I 


I/II 


I/II 



X: impossible, <^: unable to decide, A: possible after modification, Q- providing 



Suggested scheme has similar properties with the secret sharing [22]. The 
partitioned signatures Si are sent to each verifiers Bi . Required to certificate the 
signature, they can verify it using their shared secrets. Proposed Mo-MR-FBMS 
scheme also has the similar properties with the secret sharing. We can analyze 
the performance of fair blind signature as follow Table 2. 

6 Conclusions 

In this paper, we modify existing meta-ElGamal schemes introduced by Horsier, 
which is based on the difficulty of discrete logarithm problems, for improving 
the “side-effects” of Chaum's blind signature [10]. As a result of it, the message 
recovery fair blind signature scheme is also proposed using the properties of 
oblivious transfer protocol. We first have analyzed the model of blind signature 
that is providing the function of message recovery. Proposed fair blind signature 
scheme applies additional oblivious transfer protocol in the first stage of blind 
signature, which rise the overall performance even than the existing fair blind 
schemes [18,19]. Judge can publicly verify the two types of fairness on signed 
message if it is required. 

We can combine this proposed scheme with the off-line electronic payment 
system using additional concepts such as counter based micropayment framework 
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Table 2. Performance analysis of fair blind signature. 



Methods 

Items 


Stadler-CC 


Stadler-FS 
(Id = k') 


Mo-MR-FBS 


Mo-MR-FBMS 
(M = k) 


Iteration Number 


4 


1 -b 2k' 


4 


4fc 


Preprocessing 


O 


X 


A 


A 


On-line 

Processing(Sender) 
1024-bits Mod. Multi. 


300 -1- a 


550, 000 -b a 


300 -b a 


(300 -b a)k 


Processing of 
Signature(Signer) 
1024-bits Mod. Multi. 


1,650 -ba 


830, 000 + a 


300 + a 


(300 -b a)k 


Processing of 
Signature(Sender) 
1024-bits Mod. Multi. 


60 -1- a 


90 -b a 


300 -b a 


(300 -b a)k 



keeping an accurate account based on the ability of suggested message recovery 
function. As the recovered message will be generate the electronic cash in itself, 
we can apply countering methods on the balance in its account. As a results, 
message recovery scheme can be provide advanced electronic payment systems 
on the aspect of its computation and complexity especially in smart card based 
micropayment system. 
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Abstract. We present a scheme for quorum controlled asymmetric proxy 
re-encryption, with uses ranging from efficient key distribution for pay-tv 
to email applications. We prove that the scheme, which is based on El- 
Gamal encryption, leaks no information as long as there is no dishonest 
quorum of proxy servers. Of potential independent interest is a method 
providing publicly verifiable translation certificates, proving that the in- 
put and output encryptions correspond to the same plaintext message, 
without leaking any information about the plaintext to either the verifier 
or a subset of the servers of the prover. The size of the certificate is small, 
and independent of the number of prover servers. 

Keywords: asymmetric proxy re-encryption, translation certificate, El 
Gamal encryption, quorum control, robustness, privacy. 



1 Introduction 

With an increasing importance of encryption methods for privacy and protection 
of business secrets, and with an increasing need for a flexible infrastructure, we 
foresee the need for many new secure and flexible primitives extending the basic 
communication and encryption capabilities available today. One such primitive 
is proxy re- encryption, which was recently introduced by Blaze, Bleumer and 
Strauss Q. Proxy re-encryption is a translation between ciphertexts from one 
encryption key to another encryption key. It can be used to forward encrypted 
messages without having to expose the cleartexts to the participants involved, a 
primitive with many potential commercial uses. 

In symmetric proxy encryption, which was exhibited by Blaze, Bleumer and 
Strauss, the proxy (who is the entity performing the translation, and who is 
typically not a distributed entity) needs to know a function of the secret keys 
associated with both the incoming and outgoing transcripts. The proxy needs 
to be trusted not to collude with one of the participants holding these secret 
keys, or the other secret key can be derived. (This characterization has the same 
meaning as that of in which no trust has to be placed in the proxy, but the 
two other participants need to trust each other.) 

On the other hand, in asymmetric proxy re-encryption, it is not necessary 
for the proxy to any function of the secret key corresponding to the produced 
ciphertext, which is advantageous given that we often want to forward encrypted 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 112-^^^ 1999. 

© Springer-Verlag Berlin Heidelberg 1999 
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messages to parties who do not trust us with their secret key. In a quorum 
control setting, the proxy only needs to know the secret key corresponding to the 
incoming ciphertext. It is natural that the party whom the incoming ciphertext 
is for needs to trust the proxy to some extent, since the proxy controls how 
incoming messages are re-encrypted and forwarded. However, if the proxy is 
quorum controlled and the re-encryption is robust, then this party only needs 
to trust that there is no dishonest quorum of proxy servers. 

In this paper, we demonstrate how to implement asymmetric proxy re-encryp- 
tion, which was posed as an open problem in Q. For security, the transformation 
is performed under quorum control: This guarantees that if there is no dishonest 
quorum, then the plaintext message whose encryption is being transformed is 
not revealed to the proxy servers. Our solution is efficient; allows tight control 
over actions (by the use of quorum cryptography); does not require any pre- 
computation phase to set up shared keys; and has a trust model appropriate for 
a variety of settings. We believe that such a mechanism may be very useful in 
many applications: 

— It allows the proxy to transform encrypted messages to encryptions with a 
variety of different recipient public keys, to allow for categorization of the 
encryptions. The categorization may be performed either as a function of 
the transcripts and their origins, randomly (e.g., assigning an examiner to 
an electronically submitted patent), or as a function of time, and may be used 
to sort the encrypted messages according to priority or security clearance. 
A practical and concrete example is that you want somebody to be able to 
read your email while you are on vacation, but you do not want to force 
the senders of the messages to have to know that the messages are being 
re-routed. In a situation like this, a symmetric model is inappropriate. Also, 
some form of control is desirable, guaranteeing that the messages are being 
handled according to the instructions. 

— It allows more efficient communication to a large number of recipients that 
are physically clustered around the proxy; the sender would only need to 
send one encryption, along with an authenticated list of recipients. This may 
prove very useful for pay-tv, general multi-cast, and related applications. 

— Last but not least, we believe that asymmetric proxy encryption may be- 
come a useful building block in the design of secure and efficient multi-party 
protocols. 

A partial result of potential independent interest is a non-interactive proof 
that the correct translation between encryptions was performed, i.e., that the 
incoming and outgoing encryptions indeed encrypt the same message. The tran- 
script, which we call a translation certificate is publicly verifiable, is compact 
(using standarcB security parameters, it is a mere 396 bytes long, independently 
of the number of provers), and does not leak any information about the plaintext 
to verifiers or to a subset of the provers. 

We use IpI = 1024, |g| = 160. 
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Our techniques draw on ideas used in the work o n pr oactive security (e.g, 
), on methods for undeniable signatures (e.g., ^0)> Schnorr signatures 
and methods for information-theoretical secret sharing 






Outline: We start in sectionjby reviewing related work. We then discuss the 
requirements on our scheme in section^ In sectionH we then present our basic 
scheme for proxy re-encryption, followed in section^by a protocol for generating 
translation certificates. We end by stating and proving claims in section ^ 



2 Review 



Public and Secret Information: Let p, q be primes such that p = 2q+l, and 
<7 be a generator of Gp. The proxy servers share a secret key xi using a (fc, n) 



threshold scheme (see D ■> ' | ); their corresponding public key is yi = mod p. 
(Onwards, we assume all arithmetic to be modulo p where applicable, unless oth- 
erwise stated.) Likewise, the recipient has a secret key X2 with a corresponding 
public key j/2 = 9 ^^ ■ 



ElGamal: Our protocol uses ElGamal encryption To encrypt a valuj m 
using the public key y, a value 7 Zq is picked uniformly at random, and the 
pair (a, 6) = {my'^ ,g~*) calculated. Thus, (a, 5 ) is the encryption of m. In order 
to decrypt this and obtain m, m = a/b^ is calculated. 



The Decision DifRe-Hellman Assumption: Let p = 2q + 1, for primes p 
and q, and let m, g be generators of a subgroup of order q. Then, the pairs 
(m, m^, g, g^) and (m, m'~ , g, g^) are indistinguishable, for random and unknown 
values r,x G Zq, m, g G Gp. 



3 Preliminaries 

An entity with public key yi assigns a proxy, agrees with the proxy on rules for 
re-encryption, and distributes shares of his secret key a;i to the servers of the 
proxy. Later, the proxy receives a transcript Ei, which is an ElGamal encryption 
of a message m using public key yi . The proxy produces and outputs a transcript 
E2, which is an ElGamal encryption of the same message m, but using a given 
public key 2/2, which is chosen according to the rules set by the entity associated 
with yi. We note the re-encryption method can be extended to long messages 
by replacing m by a symmetric key used for encryption of a long message miong 
whose ciphertext is passed along unaltered to the entity associated with ?/2- 
The transformation is controlled by the use of quorum actions. Informally, 
the requirements on our scheme are: 

1 . Correctness: Any quorum Q of proxy servers, sharing a secret key xi, will 
be able to perform the above re-encryption. 

^ Here, m = {^)M for an original message M G [1 . . . where (-y) is the Jacobi 
symbol of M. 
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2. Robustness: If any participant in the transformation protocol would output 
incorrect transcripts, then this will be detected by all honest participants. 
The protocol will allow the honest participants to determine what partici- 
pants cheated, and to substitute these. 

3. Public Verifiability: Anybody must be able to verify that the correct transfor- 
mation was performed, without having or receiving knowledge of any secret 
information. The corresponding proof, the translation certificate, must be 
compact and be verifiable without interaction. 

4. Asymmetry: The proxy servers must need no information about the secret 
key X2 corresponding to the receiver’s public key y2 in order to perform the 
computation, and the receiver will need no information about x\ or yi in 
order to decrypt £2- 

5. Privacy: The proxy re-encryption (including the generation of the translation 
certificate, and other robustness mechanisms) does not leak any information 
about m to any set of proxy servers smaller than a quorum. 

In section^ we formalize these requirements and prove that our proposed scheme 
satisfies the same. 

4 Gradual and Simultaneous Proxy Re-Encryption 

The concept of our solution is to use gradual and simultaneous translation of 
transcripts. The translation is called gradual, since it is performed by quorum 
action, and each server’s contribution to the computation is only a partial trans- 
lation. We call it simultaneous since each server performs one partial decryption 
and one partial encryption, outputting such gradual re-encryptions without the 
cleartext ever being exposed. This approach makes all the partial translations 
simultaneous in the sense that no result is obtained until all the portions are 
accounted for. 

We first consider a non-robust version of the proxy re-encryption, and then 
add on a proof to guarantee robustness. 

Let (oi, bi) be an ElGamal encryption of a message m w.r.t. a public key y\, 
and let a;i be the corresponding secret key, which is shared by the proxy servers 
using a threshold scheme. The proxy servers wish to compute the ElGamal en- 
cryption (02,62) of m w.r.t. the public key 2/2- They wish not to expose m to 
any set of dishonest proxy servers (or any other set of servers); according to our 
assumptions, they do not know the secret key X2 of 2/2 • 

For simplicity of denotation, we assume that X\j is the Lagrange-weighted 
secret key (using the methods in ^]) of proxy server j w.r.t. a given active 
quorum Q; yij = is the corresponding public key share. The servers in the 
quorum perform the following computation: 

1. Server j selects a random value Sj uniformly at random from Zq, and com- 
putes (cj,dj) = (61 “’^^^2/2^-’ , g^^)- This pair is sent to the other proxy servers. 

2. The servers (or alternatively, a non-trusted gateway) compute the pair (02, 62) 
= («i rijGQ rijGQ The pair (02, 62) is output. 
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The above protocol for proxy re-encryption is made robust by use of trans- 
lation certificates. 

5 Generating the Translation Certificate 

We want to produce a translation certificate, i.e., a non-interactive proof that 
= 02/^2^^, or in other words, a proof that (ai,6i) and (02,62) are en- 
cryptions of the same message, for secret decryption keys xi resp. X2 of the two 
encryptions. The certificate must not leak any information to the verifier or to 
any non-quorum of prover servers. Also, it must not require knowledge of the 
second secret key, X2, since this is not assumed to be known by the prover. Fi- 
nally, it must be publicly verifiable. Our solution will produce such certificates 
that are short, and whose length does not depend on the number of provers. 

More specifically, we need to prove that (02,62) = {aibi~^^y2^ , g^), for yi = 
. In the proof, we will use a new generator, 6, whose discrete log w.r.t. g is 
not known to any set of parties. We will also use a hash function hash, which 
is assumed to be collision free, and whose output is in Zq. The proof has two 
components: One proving knowledge of the secret keys corresponding to two 
“public keys”, the other proving that the output has the claimed relation to 
these two public keys. The version we show first is, for clarity, the single-prover 
version. We then explain how this is extended to a distributed prover, and how 
cheating provers are detected and traced. 

In order to increase the readability of the protocol, we will rename certain 
variables to obtain a more uniform naming. To this extent, we will use the 
variable names {z\, Z2,wi,W2,<J, yi, ^2) to mean (j/i, 62”^, a;i, — <5, 02/01, 61, 2/2)- 
Thus, wanting to prove that 02 = oi6i““^^j/2‘^, for (j/i , 62) = (5®^ , g^) is the same 
as wanting to prove that a = for (21,22) = (5™% 5™^). 

Initialization: 

P computes and outputs (21,22) = (6™b 6™^). 

Part I: 

1. P selects a Zq, and computes {Gj'H) = {hash{[g°‘]p) , 6os6([6“]p)). 

2. P computes a pair of challenges (ci,e2) = {hash{G,'H,l),hash{G,'H,2)). 

3. P computes the response 5 = [a — eiWi — e2W2]q- He outputs {Q, H, 6). 

Part II: 

1. P selects /?i,/?2 Zq, and computes (P,M) = {hash{[g^^h^‘^]p),hash 

2. P computes a challenge e = hash{P,M). 

3. P computes the response (c?i,c?2) = ([A — ewi]^, [/?2 — ew2]q)- He outputs 
{P,M,di,d2). 
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The translation certificate is the transcript {'zi,Z 2 ,G,'H, 6 ,J^,M,di,d 2 ). The 
proof can be distributively generated, with tracing of dishonest provers, as shown 
in the Appendix. It is verified by the verifier V as follows: 

Verification: 

1. V computes (ei,e 2 ) = (hash{G,'H,l),hash{G,T-l,2)), and accepts part I iff 
G = hash{[g^ zi'^^ Z 2 '^^]p) and H = hash{[h^'zi’^^^ 2 ’^‘^]p)- 

2. V computes e = hash{T,Ai), and accepts part II iff IF = hash 
i[g^^h^HziZ 2 )X) and M = hash{[m^^ ^ 2 ^^^ a^) ■ 

3. If V accepted both part I and part II, then he outputs accept, otherwise he 
rejects. 

6 Claims 



The protocol for generation of translation certificates is correct (lemma 1,) sound 
(lemma 2,) and zero-knowledge in the random oracle model (lemma 3.) 

The protocol for robust proxy re-encryption satisfies the previously stated 
requirements: it satisfies correctness (theorem 1,) robustness (theorem 2,) asym- 
metry (theorem 3,) and privacy (theorem 4.) 

These lemmae and theorems are proven in section ^ 



7 Proofs of Claims 



Lemma 1: The protocol generating translation certificates is correct, i.e., if the 
prover is honest, then the verifier will accept with an overwhelming probability. 

Proof of Lemma 1: 

We assume that the prover is honest. Four equations have to be satisfied in order 
for the verifier to accept. 

1: = hash-^{G). 

2: h^zi^^Z 2 ^^ = = h°‘ = hash~^{n). 

3: g‘^^h‘^^{ziZ 2 Y = = gd^h^-^ = hash~^{T). 

4: H2^X = = hash~YM). 

By the definition of 0,7f,lF, A4, these relations hold. □ 

It can easily be seen that the robust and distributed version of the protocol 
for generating translation certificates is correct if the single-server version is. 

Lemma 2: The protocol for generating translation certificates is sound: If a par- 
ticipant has a non-negligible probability of answering thre^ or more challenges 

® Normally, soundness is defined as the claimed relationship must hold if the prover 
can answer two queries with a non-negligible probability. However, since this is only 
to bound the probability of a verifier accepting an incorrect proof, any polynomial 
number works. 
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correctly, then this participant can be used as a black-box to extract the secret 
key for decryption. 

Proof of Lemma 2: (Sketch) 

In this proof, we assume that it is not feasible to find hash collisions. Then, the 
only time the verifier will accept is if g°‘ = and h°‘ = h^'zi^^'z2^'^ ■ We 

now further assume that the challenges are randomly generated. We consider 
the two parts of the proof independently: 

Part I: Let (ei, €2), (ei, and (e", e')) be three different pairs of challenges, and 
let S, S', and S" be the corresponding correct responses. Then, given that we 
have three equations for these, with common choices of a, and we only have two 
unknowns (wi and W2), we can solve the equations for these. Therefore, if the 
prover can answer three or more challenges with a non-negligible probability, he 
must know w\ and W2- 

Part II: Using a similar argument to that above, we see that if the prover can 
answer two different challenges e and e' , then he can solve the response equations 
for wi and W2- 

For these two cases, therefore, being able to answer three or more possible chal- 
lenges out of all possible challenges can be used to compute the secret key wi, 
which corresponds to the secret key for decryption. □ 

Lemma 3: The interactive scheme for proving valid exponentiation is zero- 
knowledge in the random oracle model. 

This can be seen using a standard argument, by turning the protocol into an 
interactive protocol, where the challenges are randomly chosen instead of chosen 
as functions of previously seen transcripts. If the challenges are committed to at 
the beginning of the protocol, then a rewinding technique will allow a simulator 
to produce the expected outputs after having seen the challenges. 

Theorem 1: The transformation scheme scheme satisfies correctness, i.e., if Ei 
is an encryption of m w.r.t. y\, then the output of the scheme will be E2, an 
encryption of m w.r.t. j/2, for a value j/2 chosen by the proxy. 

Proof of Theorem 1: (Sketch) 

Assume that (ai,6i) = {myi^,g~*), i.e., (ai, 5 i) is a valid ElGamal encryp- 
tion of a message m w.r.t. the proxy’s public key y\. We have that (cj,dj) = 
y2^P g^^), for an already Lagrange-weighted (w.r.t the quorum Q) secret 
key share xij of proxy server j, and a random number Sj. Then, we have that 
(02,62) = (oi rijeQ Oj, rijeQ We therefore have that 02 = oi6i“’®^ 2/2“^, for 
modq, and xi = '^j^gXijmodq. Recall that y\ = g^^ and that 
is the plaintext m corresponding to the ciphertext (oi,6i) w.r.t. the 
public key y\. Thus, 02 = my2^ , according to the decryption algorithm for El- 
Gamal encryption. Since 62 = Tijeg^j = g^, we have that (02,62) is a valid 
ElGamal encryption of the message m w.r.t. the public key 2/2, and thus, the 
transformation protocol is correct. □ 

It follows automatically that the protocol that is made robust by the added 
use of translation certificates must be correct if the non-robust version is correct. 
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Theorem 2: The scheme satisfies robustness, i.e., if any participating proxy 
server outputs a transcript that would result in an incorrect end result, then the 
honest participants will detect this, and will be able to determine the cheating 
server’s identity. 

This follows from the soundness of the translation certificates, which was shown 
in Lemma 2 : Only correct outputs (corresponding to valid re-encryptions) will 
have correct translation certificate. If an invalid translation certificate is found, 
the individual portions of this certificate can be verified for validity. This can 
be done without interaction. An invalid portion (w.r.t. the public key of the 
participant generating it) corresponds to a cheater. 

Theorem 3: The scheme satisfies asymmetry. 

This is obvious given the specification of the protocol; the proxy servers never 
need any secret information corresponding to the public key y2 of the intended 
recipient, nor does the recipient need any secret information apart from this 
secret key in order to decrypt the received transcript. 

Theorem 4: The scheme satisfies privacy: Let A be a set of proxy servers 
not containing a quorum. A can simulate transcripts such that these cannot be 
distinguished by A from transcripts of the transformation protocol, other than 
with a negligible probability. 

Proof of Theorem 4: (Sketch) 

We consider the interactive version of the translation certificate herein, to make 
the argument simple. Let E2 be a value that cannot be distinguished by A from 
a valid re-encryption (according to the given public keys) of the input E\ . (For 
ElGamal encryption, it is commonly believed that any pair of randomly chosen 
elements from Gp may be chosen as such a value E2, given no partial knowledge 
of the corresponding decryption key X2-) Let us assume that the secret key X2 
needed to decrypt the transformed encryption is not known by any proxy servers. 
Focusing on the non-robust transformation protocol only, one can then show that 
the view of a set of proxy servers not containing a quorum can be simulated, 
following the (somewhat space-consuming) method used in for proving the 
simulability of two related protocols, namely those for proactive key update and 
for distributed signature generation. The same result will be obtained when such 
a protocol is interleaved (a constant and low number of times) with a protocol 
that is zero-knowledge. Therefore, the robust transformation protocol has the 
property that a partial view (corresponding to the views of a set of proxy servers 
not containing a quorum) is simulable in p-time, and the simulated transcripts 
cannot be distinguished (by the same set of proxy servers) from real transcripts. 
This argument holds for a serial concatenation of protocol executions (following 
the proof method in Q,) and so, is valid also when cheating servers corrupt the 
protocol and force a restart of the same. 

In more detail, the simulator will compute transcripts according to the inputs 
given by A, and select transcripts for the appropriate distributions from the 
proxy servers not controlled by A. This is done so that the resulting output is E2- 
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The simulator then simulates the zero-knowledge proofs for the honest servers 
(i.e., those not controlled by A), giving transcripts showing that these transcripts 
are valid and correspond to the previously set outputs of these servers. We note 
that it will not be possible for A to distinguish transcripts in a simulation where a 
false statement is “proven” from transcripts from a simulation of a true statement 
(and therefore also not from real transcripts.) If this were not the case, then it 
would not be hard to decide whether a given input is valid or not, without 
the interaction of the prover, which in turn would violate our computational 
assumption. □ 
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A Distributed Generation of Translation Certificates 

Initialization: 

Pi,i G Q has a (already Lagrange weighted w.r.t. Q) pair {wu, W 2 i)- Pi computes 
and outputs {zu,Z 2 i) = (ft.™", 

Part I: 

1. Pi,i G Q selects Oj Zq, computes and publishes (Gj, Hi) = {g°‘\ ft“*). Pi 

computes (G,H) — (IljeQ IljeQ (StH) = {hash{G),hash{H)). 

2. Pi,i G Q computes a pair of challenges (ei,e2) = (hash{Q,H,l), 

hash{Q, H, 2 )). 

3. Pi,i G Q computes and outputs 5i = [ui — eiWu — e 2 W 2 i]q- Pi computes 
(5 = J2jeQ ^ 3 - triple {Q, H, ft) is output. 



Part II: 

1 . Pii G Q selects j 3 u, /?2i Gu Zq, computes and outputs (Fj, Mi) = 

g-2^^)- Pi computes (F, M) = (IljeQ PjiUjaQ -^i). and (F, M) = {hash[p), 
hash{M). 

2. Pi,i G Q computes a challenge e = hash{P, M). 

3 . Pi,i G Q computes and outputs {du, d2i) = {[Pu - ewu]^, [/?2i - ew2i]q). Pi 
computes (c?i,c?2) = {J 2 jeQdij,J 2 jeQ ^2j)- The quadruple (F, At, c?i, ^2) is 
output. 

Verification and Tracing (by provers): 

1 . Pi verifies that Q = hash{[g^ zp^ Z2’^pp), H = ftasft([ft‘^zi*^^Z2*^^]p), P = 
ftasft([g‘^ift‘^^(2iZ2)^]p) and At = ftasft([^i'^i^2‘^^cr®]p). If this holds, Pi ac- 
cepts the transcript, otherwise he proceeds: 

2. For all j G Q, Pj is replaced if one of the following equations is not satis- 
fied: Gj = g^3 zij^^ Z2j^'^ , Hj = h^ 3 zij^^z 2 /^, Fj = 5 *^^^ ft^*^^ (21^22^)*, Mj = 

The generated transcripts are identical to those of the single-server case, 
and thus, the verification (by the verifier) is identical to what was previously 
presented. 
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Abstract. By introducing a new e-commerce paradigm - that of dispos- 
able anonymous accounts - we are able to reduce storage requirements, 
while protecting against strong attacks on the system, and keeping com- 
putational requirements low. Our proposed scheme reduces storage costs 
of payers and merchants to the lowest theoretically possible, offers users 
computational (but not revocable) privacy, and protects against the bank 
robbery attack. Furthermore, by being practically implementable as a 
smart card payment scheme, it avoids the threats of viral attacks on 
users. The scheme allows the notion of “pre-paid” cards by not requiring 
a link to the identity of the card owner. 



1 Introduction 

Current research in the area of electronic commerce pushes the knowledge fron- 
tier forward in two important directions, which to some extent represent the 
theory and practice of payment schemes. The first direction increases the protec- 
tion against attacks on the system, thereby protecting users against monetary 
losses and losses of system properties such as privacy. The second direction de- 
creases the hardware and communication costs of maintaining and running the 
system. General-purpose computers are powerful enough to accommodate as well 
highly efficient as very iuefficient schemes. Still, this second direction of finding 
efficiency improvements is of significance, especially so since the risk of viral 
attacks makes special-purpose computers (such as smart cards) more attractive 
than traditional computer systems as payment platforms. 

With the considerable attention given to electronic commerce, both of these 
frontiers have moved considerably since Chaum, Fiat and Naor Q introduced 
the first cryptographic payment protocol in 1988. Lately, any attempt on im- 
provement has turned into a very delicate balancing act in order not to cause 
the loss of some desirable properties with the advancement of others. 

In this paper, we introduce a scheme that protects against the strongest 
known attack (namely the bank robbery attack, in which an attacker obtains the 
secret key of the currency issuing agency). At the same time, our scheme dras- 
tically reduces the hardware costs compared to previously proposed schemes. 
Although our scheme does require payments to be cleared using an on-line tech- 
nique, which is less beneficial in terms of communication than an off-line scheme, 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 122-^^^ 1999. 

© Springer-Verlag Berlin Heidelberg 1999 



Mini-Cash: A Minimalistic Approach to E-Commerce 



123 



we argue that practically it is, in fact, not a step backwards. This is the case given 
the current trend in banking, suggesting that only on-line payment schemes (and 
hybrid schemes such as ^^^3, which are on-line with a certain probability) will 
be considered by banks, in order to minimize the potential losses made possible 
by global and instantaneous commerce capabilitie J 

Previously, the bank robbery attack has only been possible to prevent in 
schemes with revocable anonymity. The system we introduce demonstrates that 
the same level of system security in fact can be achieved without the ability 
for some entities to revoke anonymity. Positive aspects of not implementing 
revocability are an increased level of comfort for some users, and a lowering of 
computational and storage costs. On the negative side, the lack of revocability 
potentially opens up for attacks such as blackmail and money laundry. These 
attacks, however, are to some extent socially unacceptable versions of otherwise 
legal payment transactions, which makes them difficult to avoid at any rate. Such 
attacks may therefore require other outside mechanisms to detect and avoid. 

As a result of not requiring revocability to protect against the system attacks, 
our system allows the distribution of entities, such as the bank, but does not 
require it. Yet another advantage of our scheme is its very simple construction, 
making it easy to analyze and to prove secure. Furthermore, our scheme is fairly 
flexible in that it can be implemented using a wide variety of security primitives, 
which is an advantage in that its security - and therefore also existence - does 
not rely on the availability and soundness of a small number of components. 

What we believe is the biggest advantage of our scheme, though, is its mini- 
mal storage requirements. Our proposed scheme drastically reduces the storage 
requirements of users (both payers and merchants) to the theoretically lowest 
possible, namely to a constant size storage of a secret key (except for the tem- 
porary storage needed to perform the transactions). A payment scheme with 
smaller memory complexity is not feasible, since such a scheme would not allow 
the distinction of different parties from each other. For practical reasons, we add 
a logarithmic-sized storage indicating the amount of money held by the device; 
we note, however, that this is not necessary for the scheme to work. We also 
add storage to implement access control, e.g., PIN control. Our low memory re- 
quirements allow the affordable employment of specialized devices, such as smart 
cards, and their distribution to the masses. Such devices also have the definitive 
advantage of not being easy targets of viruses, which pose a significant threat to 
the security of any system running on a multi-purpose computer. 

By not being linked to the identity of the owner, the payment devices can 
be sold as “pre-paid” cards, much like phone cards are. This is likely to increase 

^ The ability to drastically overspend coins during very short periods of time, whereas 
not necessarily appealing to the average user (who knows that the bank will detect 
the overspending and identify him/her as the overspender), is still not a desirable 
property of a payment scheme. The reason is that it makes the scheme vulnerable to 
terrorist attacks (causing inflation by aggressive overspending) and makes the mon- 
etary losses incurred by the loss (and claimed loss) of payment devices unnecessarily 
high. 
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the user acceptance of the payment scheme, and open up a bigger market by 
providing for wider distribution channels. 

Outline. After presenting related work (section^, we introduce the model (sec- 
tion^, briefly state some definitions (section^, after which we state our require- 
ments on the scheme (section We then explain our architecture (section ^ 
and introduce our solution (section^ . We prove our scheme to satisfy the listed 
requirements in the Appendix. 



2 Related Work 

Our scheme is conceptually related to the coin paradigm, as introduced by 
Chaum, Fiat and Naor and later used in several other schemes. It is also 
related to account-based schemes, such as In fact, it is probably best de- 
scribed as being a hybrid of the two: The coins, which are stored by the bank and 
accessed by users to perform transfers, can be seen as “disposable anonymous 
accounts” . When a coin is spent, the corresponding account is removed, and a 
new account is created (corresponding to a new coin) . The payee is given access 
rights to this new anonymous account, and the payment has been completed. 
Using this amount of detail, our scheme is therefore very similar to the work by 
Simon where the underlying idea of bank-kept coins was introduced. 

Just as in the pioneering work of Chaum et al., we work in the on-line 
payment model. This model has been abandoned for a long period of time, and 
much effort has been spent in developing off-line payment schemes, but now, the 
on-line paradigm is seeing a renaissance again, given the commercial preference 
for it. 

We also to some degree revisit these early schemes in terms of privacy, as 
privacy cannot be revoked in our scheme. We offer what we call chain privacy. 
Think of the beginning of a chain as the point where a user identifies himself 
to the bank and transfers money from a traditional account into our scheme. 
The end of the same chain corresponds to the point where a user in our scheme 
transfers funds out to a traditional account. Chain privacy means that the bank 
will know the length of the chain, where each payment corresponds to one link 
of the chain, and will know the identities of the end-points, but will not be 
able to correlate the identities of the users to payments that are in between 
the endpoints. If the transfers are done from or to cash, we think of this as a 
chain with anonymous end-points, in which case the bank will know even less. 
Practically, and for chains of sufficient length, this type of privacy will appear to 
users as very similar to the privacy offered by early schemes, i.e., perfect privacy. 
This is the case since, like all early schemes, our protocol offers users privacy 
even against a collusion of all other entities (to the extent that other users can 
limit the number of possible guesses a bank has to make in order to learn how 
a payment was made, by revealing all their private information to the bank). 
Again, this is very similar to the scheme by Simon although he did not 
analyze the privacy properties in detail. 
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A strong reason why perfect privacy had to give way to revocable privacy in 
recent work (e.g., is that the latter model allowed the strength- 

ening of the attack model. In a setting with revocable privacy, it is possible to 
render attacks such as blackmail and bank robbery meaningless, by allowing pri- 
vacy and funds to be revoked. (This is not possible for the early work granting 
perfect privacy.) In the bank robbery attack, introduced in the attacker 
obtains the secret key of the bank and trustee, allowing him to mint money him- 
self. This attack was prevented against in by ascertaining that all coins 

can always be identified, no matter how they were produced. In a different 
approach was taken, in which knowledge of the secret keys does not allow the 
attacker to produce funds - only trace them. In our scheme, we prevent against 
the bank robbery attack in a way that is similar to that of in the sense that 
we are making knowledge of the bank secret keys useless to an attacker. 

One main difference between our method and previous work is where the 
coin representation is being kept. In all work of this genre, except for 
a significant portion of the transcripts equaling funds were kept by the users 
(as a secret key for an unspent coin, and as a signature for a spent coin). In 
the users only store a secret key needed to sign encrypted purchase orders, 
and the bank kept the other data. We take a similar approach in this work. We 
let the bank store information corresponding to funds, leaving the users with 
only having to store a secret key needed to access the data stored by the bank. 
Shifting the storage requirements in this manner not only eases the load on 
the user devices, but also allows for the much stronger attack model that we 
implement. Our result differs from structurally by not requiring distributed 
control of the bank functionality, and functionally by crediting the account of 
the merchants immediately a payment has been performed. This also allows the 
introduction of new functionality by the use of challenge semantics. 

As previously mentioned, our scheme is a very close relative to the scheme 
by Simon One difference is that we do not assume a secure communication 
channel. In Simon’s scheme, there is a brief moment, in between the debiting 
and crediting of accounts, when a coin reverts to the bank and does not belong 
to either payer or payee. In principle, this makes the scheme susceptible to fraud, 
embezzlement and system failures. Also, we allow for evidence of transactions to 
be provided (in our construction, the secret access key is not known by the bank), 
and we elaborate more carefully what privacy is obtained from the scheme. More 
importantly, we investigate methods to compress the data to be kept by the pay- 
ment devices, allowing these to hold only a constant sized (in the numbers of 
coins) secret seed, although for convenience, balance information would probably 
be desirable to be kept as well. In comparison, Simon’s scheme uses a represen- 
tation of each coin to be stored by its owner. Moreover, our scheme is contrasted 
to Simon’s, which, by not using signatures, limits computational costs, but at 
the same time also reduces the functionality of the resulting scheme. 

Technically, our work bears some resemblance to micro-payment schemes 
(e.g., These allow a user to spend a coin representation in small 

steps by sending the merchant transcripts that are computed as incremental 
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hashes of a seed. Similarly, we maintain low storage costs for user devices by 
letting these store only a seed and counters, from which payment transcripts 
can be computed during a transaction. However, our scheme differs conceptually 
from published micro-payment schemes in that we require the bank to be on-line, 
and that we offer increased versatility and security. 

During the intensive period of research on payment schemes over the last 
ten years, a multitude of properties have been proposed. One of these is divis- 
ibility (e.g., In our setting, we do not provide for divisibility of coins. 

However, this property was mainly required to battle the considerable costs of 
a large and diverse wallet in the original coin model. As we significantly limit 
storage requirements, we also limit the need for coin divisibility. However, coin 
divisibility also has the advantage of reduced communication requirements. We 
suggest another possible method to reduce the communication requirements of 
several simultaneous coins. An advantage of not allowing divisibility is a slight 
improvement of privacy related issues, which suffer both with divisibility and 
the related notion of fc-spendability (the notion of being able to spend a 

coin up to a fix fc number of times). 



3 Model 

Users. We have three main types of protocol participants, payers, merchants, and 
banks. One entity may first act as a payer (when making a payment) and later 
act as a merchant (when receiving a payment). For simplicity, we call anybody 
making a payment a payer, and anybody receiving a payment a merchant. The 
bank keeps account information and transfer funds between accounts. A fourth 
type of entity is the issuer, who manufactures and/or distributes the computa- 
tional devices corresponding to the payers and the merchants. The last type of 
participant is the interface, which shows the sum to be added or subtracted from 
the card connected, and is used for human identification to the payment device. 
The interface may be part of the user payment device. 

Trust. All users trust the bank not to steal, i.e., trusts the bank not to cancel or 
fail to create accounts that should be active according to the protocol description. 
All users trust the issuer to produce payment devices that follow the protocol. 
If the device is sold to the user with a seed installed, then the user trusts the 
issuer (for his privacy and security) not to use this seed in any computation, 
but to forget it after installing it. Similarly, if the card is sold to the user with 
funds on it, the user trusts the issuer not to steal, i.e., he trusts the issuer that 
the payment device indeed has access rights to the claimed sum. Finally, if an 
interface is used, the users trust the interface not to move a different sum from 
the payment device than the human user agreed to. The interface is also trusted 
not to store or use the PIN, or any other identifying information used for human 
access control to the payment device. 
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4 Definitions 

A payment chain is a sequence of links, each one of them corresponding to a 
transaction, or a group of transactions that are known or very likely to be made 
by one particular device (i.e., intentionally linked together or made at the same 
time from the same IP address). A transaction is one of the following: (1) a 
transfer of funds to a payment device from a source outside the payment scheme 
(such as a normal bank account), (2) a transfer between payment devices, or (3) 
a transfer from a payment device to a destination outside the payment scheme. 
The beginning of a chain corresponds to a transaction of the first type, and the 
end of a chain corresponds to a transaction of the third type. 

By (computational) chain privacy we mean that it is infeasible for any collu- 
sion of parties to determine the origin or destination of a payment corresponding 
to a link where they are not themselves the origin or destination, even if all pre- 
viously seen transactions can be matched to the identities of their respective 
participants. 

Let us clarify this with an example: In our scheme, the bank will know the 
identity of the user associated with the first link in a chain. It will not know the 
identity of the merchant of the second link, but will know who paid this person. 
Similarly, for the third link, it will know who paid the payer of this merchant - 
this corresponds to the identity of the user associated with the first link. Finally, 
it will know the identity of the user who becomes the final link of the chain. 



5 Requirements 

Privacy. We require our system to satisfy chain privacy. Furthermore, we require 
that it be impossible for a payer or merchant to prove to a third party what the 
identity of the other participant of the transaction was. 

Access Rights. First, our scheme must satisfy the standard requirement of un- 
forgeahility, i.e., that it is not possible for an attacker to create a transcript that 
corresponds to a transfer of funds he is not entitled to. 

Secondly, we require that the system is secure against bank robbery. In a bank 
robbery attack, we have an attacker, who gains read access to all the secret 
information of the bank, and who has write access to main memory (but not 
the backup tapes) of the bank in a limited time interval. We wish to prevent 
him from performing payments not corresponding to funds that are obtained 
following the specified protocols. 

Finally, we require that a user can block access to the funds of a lost device, and 
to recover these funds. 

In the appendix, we prove that our proposed scheme satisfies the above listed 
requirements. 
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6 Architecture 

We now discuss the general architecture of our scheme. We begin by briefly 
describing two common architectures from the literature, namely coin-based and 
account-based schemes: 

In coin-based schemes, payers store information corresponding to certificates 
and secret keys, which are used to produce payment transcripts. The payment 
transcripts correspond closely to certificates, one by the bank, and one by the 
payer. These are later stored by the bank until the expiration date of the coin, 
after which they can be erased. 

In an account-based scheme, the storage requirements are shifted towards the 
bank. The user typically only stores a secret key, which is used to produce 
certificates corresponding to an account that the bank maintains. The merchant 
deposits certificates with the bank, who keeps a record of the remaining balance. 
Often, the same secret key is used for an extended amount of time. 

Disposable Anonymous Accounts. Our scheme draws on both of the above con- 
cepts. Funds can be thought of as coins kept by the bank and accessed by users. 
Alternatively, we can think of funds as one-time accounts. We use the term dis- 
posable anonymous account to describe the representation of funds, in order to 
highlight two of its most distinguishing properties. The first is that an account 
corresponds to a fixed amount, much like a coin does, and can only be spent in its 
entirety, after which it is canceled. The second property corresponds to the fact 
that accounts are not associated with the identities of the owners. For brevity, 
we also use the term coin for such an account in its different representations. 

Bank Representation. For each account, the bank stores an account description. 
This is either a public key or a function of a public key, such as a hash. Accounts 
can be created by users transferring funds to the bank, who then registers public 
keys given to it by the user in question. Accounts can also be created by per- 
forming a payment. During a payment, a new account is created and an old one 
canceled, with the funds previously associated with the first account becoming 
associated with the second account. 

More specifically, the payer signs a public key provided by the merchant using a 
secret key whose public counterpart is stored by the bank and associated with a 
certain amount. Signing the document transfers the access rights to the holder of 
a second secret key, corresponding to the public key signed. When the bank re- 
ceives such a payment order, it verifies the validity of the payer’s account, erases 
the latter, and then creates a new account labeled by the public key signed by 
the payer. 

User Representation. In order to obtain a compact representation of funds, the 
payment devices will have the following structure: Each device contains a seed, 
from which secret keys can be generated by the application of a pseudo-random 
generator to the seed and a serial number describing the coin. Two counters 




Mini-Cash: A Minimalistic Approach to E-Commerce 



129 



will be maintained, one corresponding to the next coin to be spent, another 
corresponding to the last coin that can be spent. A payment is performed by 
the merchant creating a secret key using the merchant’s “max coin” position, 
computing the corresponding public key, and having the payer sign this using 
the secret key indicated by the payer’s “next coin” position. At the end of the 
transaction, involving the cancelation of the payer’s account and the creation 
of the merchant’s account, the payer increases his “next coin” counter, and 
the merchant his “max coin” pointer in order to keep track of their balances. 
(Notice that the use of counters is only for the users’ own benefit, and it would 
not constitute an attack to update the counters in another manner.) 

7 Solution 

Denotation. We let p and q be large primes such that p — 1 is a multiple of q. 
We let / be a one-way function, modeled by a random oracle, with an output in 

Bank Database. The Bank has a secret key with a corresponding public key 
associated with himself. The keys are used only to authenticate acknowledgments 
of funds transfers. The Bank keeps a database of all valid accounts. For each 
valid account y the Bank stores an identifier, such as a hash of y. When an 
account becomes invalid, its identifier is erased from the Bank database; when 
a new account is generated, the corresponding identifier is added to the Bank 
database. Additionally, when an account is created by a transfer from a source 
outside our payment scheme, the bank labels the corresponding account identifier 
by a description of the source. 

Payment Device Setup. When a new user joins, he obtains a payment device, 
such as a smart card. During an initiation phase, he sets a PIN (or initiates 
some other identification scheme, such as a biometric scheme). He then selects 
a random seed cr, also to be stored on the payment device. He sets the counters 
next = 1, max = 0. (A device carries funds when max > next.) The first 
indicates what payment is to be performed next; the latter indicates the last 
valid payment that can be made. The setup is done using a trusted device, such 
as a home computer with a smart card reader/writer. 

Performing a Backup. A PIN-protected backuj|can be made at any time by 
copying the counters, next and max to a secure backup device, such as a home 
computer. The first time such a backup is made, or during payment device setup, 
the seed a is copied as well. For advanced devices, other information may be kept, 

^ We note that performing backups to a multi-tasking computer opens up the scheme 
to possible virus attacks that are otherwise not possible for smart card only schemes. 
Also, making backups limits the protection given by the PIN, unless similar protec- 
tion mechanisms are employed for the computer. These problems can be avoided by 
encrypting all backup data on the smart card, using the banks public key. 
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such as information about what is purchased, and when; such information may 
also be copied during a backup. Additionally, the values of the counters may be 
sent to the bank during a transfer of money to or from the payment device. 

Transfering Money to/from the Payment Device. A user transfers money to a 
payment device by paying the bank the sum to be added, and creating new dis- 
posable anonymous accounts (the number of which corresponds to the amount to 
be added to the card) . A user transfers money from a payment device by paying 
the bank the corresponding sum. In order to transfer the sum to a standard bank 
account, the user may indicate in his payment the designation of the payment. 
In performing a payment below, it is explained how a payment is performed, 
and how an account is selected and created. (We later discuss the designation of 
accounts as well.) 

Performing a Payment. 

1. The Payer P verifies the availability of funds by checking that the balance 
is sufficient for the desired transfer. Using appropriate access control mech- 
anisms (such as a PIN) it verifies that only users allowed access can perform 
the transaction. 

2. The Merchant M with a secret seed um and a max-counter maxM computes 
a key Xm = f{<^M, rnaXM + 1, !)• He computes ?/m = g^’^ modp and sends 
yM to the Payer P. 

3. The Payer P with a secret seed ap and a next-counter nextp computes 
a keypair {xp,k) = {f{ap, nextp, 1), f{ap, nextp, 2)). He then computes 
a pair (yp,r) = {g^ ,g^), where the operations are modulo p. He finally 
computes a Schnor^ signature s on yM' s = k — xpH{yM,r), where PI is an 
appropriate hash function. 

4. The quadrupl^ {yp, yM, r, s) is sent to the Bank B. The Bank verifies that 

yp is a valid account, and that (r, s) is a valid signature on yM using the 
public key yp. For Schnorr signatures, this amounts to verifying that r = 
g^yp^^^’^ . If the account exists and the signature is valid, then the Bank 

cancels yp and stores the new account yM, after which it acknowledges the 
transaction by returning a Bank signature on {yp, yM)- 

5. If a Bank acknowledgment is received, the Payer P increases the counter 
nextp by one, and the Merchant M increases the counter maXM by one. 
The payment has now been performed. 

Blocking a Lost Payment Device. All the payments from a payment device can 
be blocked using the backup device by attempting to perform payments, starting 
at the position indicated by nextp, and with increasing values for the counter 
from the first successful payment until the first failed attempt. The payments 

® A variety of other schemes may be used in place of Schnorr signatures. 

^ The public signing key yp does not have to be sent if the signature scheme allows 
yp to be computed from (j/m, r, s). Schnorr signatures allows this shorter format to 
be employed. 
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are done to a new device which is controlled by P. Performing the payments 
effectively empties the lost payment device. 

8 Extensions and Remarks 

Preprocessing. We note that the modular exponentiations can be performed 
using pre-processing, since they do not depend on the transaction specifics. 

Batch payments. It is possible to perform a payment involving several coins at 
the same time by creating a signature using all the corresponding secret keys. 
As an example, a Schnorr signature on n merchant public keys yMi, ■ ■ ■ , VMn, 
using n payer secret keys xpi, . . . , xpn could be computed as s = fc — XH(p, r), 
for r = g^. Here, the message p = {pm,Pp) = {{vmi, ■ ■■,yMn), (ypi, • ■ 
indicates the public keys of the accounts to be created and those to be debited, 
where {ypi . . .ypn) correspond to the secret keys {xpi,.. .xpn) used to perform 
the payment. Finally, the secret signing key X is a weighted version of all the 
involved signing keys, computed as X = Y^=i '^i^i modg, where Wi is a weight 
that can be computed as hash{pp,i). The corresponding signature would be 
verified by checking that r = where Y = Y\a=i TJPi^' modp, using the 

same Wi as above. 

Fungihility. Several different denominations are possible, in which case the bank 
keeps one account database for each such denomination. It is possible to “make 
change” by transferring a high-denomination coin to several low-denomination 
coins (by signing a list of public keys and a description of the wanted denomina- 
tions), some of which can be given to the merchant, and others kept by the payer. 
Likewise, it is possible to get rid of change by using several low-denomination 
coins simultaneously to create one high-denomination coin (by signing one public 
key only, using several secret keys). 

Added functionality. Using challenge semantics it is possible to introduce 
functionality such as fairness. This is done by letting the payer sign a pair (j/m, c) 
instead of merely yM, where c is an arbitrary contract. This can also be used to 
designate the payments for a certain account or purpose. Similarly, it is possible 
to transfer funds to other payment schemes or account types, by signing an 
identifier of the recipient account (such as a credit card number) instead of 
signing yM- It is also possible to implement agent-based commerce using the 
same principle. We refer to for a more thorough discussion of these ideas. 

Using prepaid cards. For prepaid cards, parts of the payment device setup may 
be performed by a trusted card manufacturer or distributor, whose tasks may 
include to select the random seed and set the counters appropriately. If the card 
is used only for low-cost payments, e.g., to hold subway tokens or to be used as a 
phone card, it may not require a PIN. Alternatively, a prepaid card may require 
a PIN to be entered (using a trusted interface) the first time it is used, or may 
(as is common for phone cards) have the PIN printed on a piece of paper that 
can only be read once the card is unwrapped. 
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A remark on counters: In the above we have ignored the problem of wrap-around 
of counters; however, this problem can easily be addressed. We also see that the 
actual value of the counters is not important for the sake of security, i.e., if a 
user would alter his counter, then this would not enable him to gain access to 
more funds (as there would be no corresponding accounts stored by the bank). 

A Counter-free system. It is theoretically possible to reduce the storage re- 
quirements to a constant by removing the use of the counters. Instead, we will 
keep two seeds, one corresponding to the next pointer, one corresponding to 
the max counter. For each payment made, the next seed would be updated as 
c^next ■= f{<Jnext)] for each payment received, we would have amax ■= f(crmax)- 
Here, the relation between the two seeds is such that amax = f^ {a next) for a 
balance B (that is not stored by the device.) If amax = a next i there is no money 
on the storage device. It appears advantageous, though, to keep the balance 
stored, making a system using counters superior. 

A remark on privacy: We have assumed that no identifying information, such 
as an IP-address, is leaked when a device connects to the Bank. Should this 
not be the case, then we can let the payer connect to the bank for every other 
payment of the chain, and the merchant for every other payment. Note that 
this requires a one-bit state to be stored by the user for each unit of funds, 
indicating whether the transcript will be sent by him or the merchant. This 
efficiently disassociates every second holder of a portion of funds to the bank, 
thereby making any association between payer and merchant impossible for the 
bank to perform. 
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A Proofs 

Theorem 1: Given that it is infeasible to invert the one-way function used for 
the PRG, the scheme satisfies chain privacy. Moreover, it prevents a merchant 
from proving the identity of a payer to a third party. 

Proof of Theorem 1: (Sketch) 

We prove the theorem by reducing a successful predicting adversarial strategy 
to an algorithm for inverting a one-way function. First, there cannot exist a p- 
time distinguisher that decides whether an output comes from a first or second 
PRG, or this could be used to distinguish a pseudo-random sequence from a 
truly random sequence. (This argument uses a hybrid argument in which one 
random sequence is gradually replaced with a pseud-random sequence and for 
each step compared to another pseudo-random sequence.) 

We now assume that a third party is able to correlate to a transaction (which does 
not constitute an end-point of the payment chain) the identity of a party involved 
in the transaction. Without loss of generality, we assume that this adversary is 
able to determine with some probability (non-negligibly exceeding that of a guess 
among all potential parties whom he does not control) the identity of a merchant 
corresponding to a given link of the chain, such that this link is not the end point 
of the chain. In order to do so, the adversary needs to be able to successfully 
match the public key y generated by the merchant to a previous transaction 
of the same merchant (since valid transactions not involving said merchant are 
independent of the merchant’s seed). Given the previous argument, this is not 
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possible for two potential merchants. The argument trivially extends to multiple 
parties. 

The second part of the theorem trivially holds since there is no proof of identity 
in the payment protocol, and so, there exists no transferable proof of identity of 
neither the merchant nor the payer. □ 

Theorem 2: The scheme satisfies unforgeability, i.e., it infeasible for an adver- 
sary to perform a payment unless he (or a collaborator) generated the secret key 
corresponding to the account originating the payment, or he knows the secret 
key of the bank. 

This follows directly from the soundness of the signature schemes used, and 
the fact that it is not possible to predict the value of the secret key even if all 
previously generated secret keys were known (as shown in Theorem 1). 

Theorem 3: The scheme protects against bank robbery, i.e., it is infeasible for 
an adversary who forces the bank to give him temporary but unrestricted read 
and write access to the bank’s storage to gain access to funds he is not entitled 
to, without allowing the immediate tracing of the corresponding transactions 
and the replacement of the bank keys. 

Unrestricted read access to the bank storage does not allow the adversary 
to produce representation of funds, since this can only be done by entering new 
public keys in the bank database. The only way an attacker can produce new 
representations of funds is to enter new public keys in the bank’s database, or 
increasing the balance of a standard account, both of which can be undone once 
the bank regains control. The only time the bank uses its secret key is when it 
acknowledges a transaction. Being able to acknowledge transactions (real and 
forged) does not allow the adversary access to funds per se, although it may 
allow the adversary to perform (detectable) transactions that he is not entitled 
to. 
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Abstract. In a distributed system, dynamically dividing execution between 
nodes is essential for service robustness. However, when all of the nodes cannot 
be equally trusted, and when some users are more honest than others, controlling 
where code may be executed and by whom resources may be consumed is a non- 
trivial problem. In this paper we describe a generic authorisation certificate ar- 
chitecture that allows dynamic control of resource consumption and code 
execution in an untrusted distributed network. That is, the architecture allows the 
users to specify which network nodes are trusted to execute code on their behalf 
and the servers to verify the users’ authority to consume resources, while still al- 
lowing the execution to span dynamically from node to node, creating delega- 
tions on the fly as needed. The architecture scales well, fully supports mobile 
code and execution migration, and allows users to remain anonymous. 

We are implementing a prototype of the architecture using SPKI certificates and 
ECDSA signatures in Java 1.2. In the prototype, agents are represented as Java 
JAR packages. 



1 Introduction 

There are several proposals for distributed systems security architectures, including the 
Kerberos [14], the CORBA security architecture [23], and the ICE-TEL project pro- 
posal [6], to mention but a few. These, as well as others, differ greatly in the extent they 
support scalability, agent mobility, and agent anonymity, among other things. Most of 
these differences are clearly visible in the trust models of the systems, when analyzed. 

In this paper we describe a Simple Public Key Infrastructure (SPKI) [7] [8] [9] 
based distributed systems security architecture that is scalable and supports agent mo- 
bility, migration and anonymity. Eurthermore, all trust relationships in our architecture 
are explicitly visible and can be easily analyzed. The architecture allows various secu- 
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rity policies to be explicitly specified, and in this way, e.g., to specify where an agent 
may securely execute [27]. 

Our main idea is to use dynamically created SPKI authorisation certificates to dele- 
gate permissions from an agent running on one host to another agent running on an- 
other host. With SPKI certificates, we are ahle to delegate only the minimum rights the 
receiving agent needs to perform the operations that the sending agent wants it to carry 
out. The architecture allows permissions to be further delegated as long as the generic 
trust relationships, also presented in the form of SPKI certificates, are preserved. 

A typical application could he a mobile host, such as a PDA. Characteristic to such 
devises are limited computational power, memory constraints and an intermittent, low 
bandwidth access to the network. These pose some limitations on the cryptographic 
system used. Favourable characteristics would be short key length and fast operation 
with limited processing power. 

In order to be able to distinguish running agents, and delegate rights to them, new 
cryptographic key pairs need to be created, and new certihcates need to be created and 
verified. To make this happen with an acceptable speed, we have implemented the rele- 
vant public key functions with Elliptic Curve based DSA (ECDSA), yielding reasona- 
ble performance. 

In our architecture, cryptographic key pairs are created dynamically to represent 
running agents. This also has a desirable side effect of making anonymous operations 
possible while still preserving strong authorisation. In practical terms, some of the cer- 
tificates that are used to verify agent authority may be encrypted to protect privacy. 
This hinders third parties, and even the verifying host, from determining the identity of 
the principal that is responsible for originally initiating an operation. This allows users’ 
actions to remain in relative privacy, while still allowing strong assurance on whether 
an attempted operation is authorised or not. 

We are in the process of implementing a practical prototype of our architecture. 
The prototype is based on distributed Java Virtual Machines (JVM) running JDK 1.2, 
but the same principles could be applied to any distributed system. The main parts of 
the prototype architecture are already implemented, as described in [15], [21], and 
[25], while others are under way. 

The rest of this paper is organized as follows. In Sect. 2 we describe the idea of author- 
isation certificates, their relation to trust relationships and certihcate loops, and the se- 
curity relevant components of the SPKI certificates. Sect. 3 summarizes the dynamic 
nature of the SPKI enhanced JDK 1.2 security architecture. Next, in Sect. 4, we de- 
scribe how our ECDSA implementation complements the Java cryptography architec- 
ture. In Sect. 5, we dehne the main ideas of our architecture, and show how SKPI 
certihcates and dynamically generated key pairs can be used to anonymously, but se- 
curely, delegate permissions from one JVM to another. Sect. 6 describes the current 
implementation status, and Sect. 7 includes our conclusions from this research. 
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2 Authorisation and Delegation 

The basic idea of authorisation, as opposed to simple (identity) authentication, is to at- 
test that a party, or an agent, is authorised to perform a certain action, rather than 
merely confirm that the party has a claimed identity. If we consider a simple real life 
example, the driver’s licence, this distinction becomes evident. The primary function 
of a driver’s licence is to certify that its holder is entitled, or authorised, to operate ve- 
hicles belonging to certain classes. In this sense, it is a device of authorisation. How- 
ever, this aspect is often overseen, as it seems obvious, even self-evident, for most 
people. 

The secondary function of a driver’s licence, the possibility of using it as an evi- 
dence of identity, is more apparent. Yet, when a police officer checks a driver’s licence, 
the identity checking is only a necessary side step in assuring that the operator of a ve- 
hicle is on legal business. 

The same distinction can and should be applied to computer systems. Instead of us- 
ing X.509 type identity certificates for authenticating a principal’s identity, one should 
use authorisation certificates, or signed credentials, to gain assurance about a princi- 
pal’s permission to execute actions. In addition to a direct authorisation, as depicted in 
the driver’s licence example, in a distributed computer system it is often necessary to 
delegate authority from a party to a next one. The length of such delegation chains can 
be pretty long on occasions. [17] 

2.1 Trust and Security Policy 

Trust can be defined as a belief that an agent or a person behaves in a certain way. Trust 
to a machinery is usually a belief that it works as specified. Trust to a person means 
that even if that person has the possibility to harm us, we believe that he or she chooses 
not to. The trust requirements of a system form the system’s trust model. For example, 
we may need to have some kind of trust to the implementor of a software whose source 
code is not public, or trust to the person with whom we communicate over a network. 

Closely related to the concept of trust is the concept of policy. A security policy is a 
manifestation of laws, rules and practices that regulate how sensitive information and 
other resources are managed, protected and distributed. Its purpose is to ensure that the 
handled information remains confidential, integral and available, as specified by the 
policy. Every agent may be seen to function under its own policy rules. 

In many cases today, the policy rules are very informal, often left unwritten. How- 
ever, security policies can be meaningful not only as internal regulations and rules, but 
as a published document which defines some security-related practices. This could be 
important information when some outsider is trying to decide whether an organization 
can be trusted in some respect. In this kind of situation it is useful to define the policy 
in a systematic manner, i.e., to have a formal policy model. 

Another and a more important reason for having a formally specified policy is that 
most, or maybe even all, of the policy information should be directly accessible by the 
computer systems. Having a policy control enforced in software (or firmware) rather 
than relying on the users to follow some memorized rules is essential if the policy is to 
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be followed. A lot of policy rules are already implicitly present in the operating sys- 
tems, protocols, and applications, and explicitly in their configuration hies. Our mis- 
sion includes the desire to make this policy information more explicit, and make it 
possible to manage it in a distributed way. 

2.2 Certificates, Certificate Chains, and Certificate Loops 

A certihcate is a signed statement about the properties of some entity. A certihcate has 
an issuer and a subject. Typically, the issuer has attested, hy signing the certihcate, its 
belief that the information stated in the certihcate is true. If a certihcate states some- 
thing about the issuer him or herself, it is called a self-signed certihcate or an auto-cer- 
tihcate, in distinction from other certihcates whose subject is not the issuer. 

Certihcates are usually divied in two categories: Identity certihcates and authorisa- 
tion certihcates. An identity certihcate usually binds a cryptographic key to a name. An 
authorisation certihcate, on the other hand, can make a more specihc statement; for ex- 
ample, it can state that the subject entity is authorised to have access to a specihed 
service. Furthermore, an authorisation certihcate does not necessarily need to carry 
any explicit, human understandable information about the identity of the subject. That 
is, the subject does not need to have a name. The subject can prove its title to the certif- 
icate by proving that it possesses the private key corresponding to the certihed public 
key; indeed, that is the only way a subject can be trusted to be the (a) legitimate owner 
of the certihcate. 

Certihcates and trust relationships are very closely connected. The meaning of a 
certihcate is to make a reliable statement concerning some trust relationship. Certih- 
cates form chains, where a subject of a certihcate is the issuer of the next one. In a 
chain the trust propagates transitively from an entity to another. These chains can be 
closed into loops, as described in [17]. 

The idea of certihcate loops is a central one in analyzing trust. The source of trust is 
almost always the checking party itself. A chain of certihcates, typically starting at the 
verifying party and ending at the party claiming authority, forms an open arc. This arc 
is closed into loop by the online authentication protocol where the claimant proves 
possession of its private key to the verifying party. 

2.3 Authorisation and Anonymity 

In an access control context, an authorisation certihcate chain binds a key to an opera- 
tion, effectively stating that the holder of the key is authorised to perform the opera- 
tion. A run time challenge operates between the owner of operation (the reference 
monitor) and the key, thus closing the certihcation loop. These two bindings, i.e., the 
certihcate chain and the run time authentication protocol, are based on cryptography 
and can be made strong. 

In an authorisation certihcate, a person-key binding is different from the person- 
name binding used in the identity certihcates. By dehnition, the keyholder of a key has 
sole possession of the private key. Therefore, the corresponding public key can be used 
as an identiher (a name) of the keyholder. For any public key cryptosystem to work, it 
is essential that a principal will keep its private key to itself. So, the person is the only 
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one having access to the private key and the key has enough entropy so that nobody 
else has the same key. Thus, the identifying key is bound tightly to the person that con- 
trols it and all bindings are strong. The same cannot be claimed about human under- 
standable names, which are relative and ambiguous [10]. 

However, having a strong binding between a key and a person does not directly 
help the provider of a controlled service much. The provider does not know if it can 
trust the holder of the key. Such a trust can only be acquired through a valid certificate 
chain that starts at the provider itself. The whole idea of our architecture centres 
around the concept of creating such certificate chains when needed, dynamically pro- 
viding agents the permissions they need. 

The feature of not having to bind keys to names is especially convenient in systems 
that include anonymity as a security requirement. It is easy for a user to create new 
keys for such applications, while creating an authorised false identity is (hopefully) not 
possible. 

2.4 SPKI Certificates 

The Simple Public Key Infrastructure (SPKI) is an authorisation certificate infrastruc- 
ture being standardized by the IETF. The intention is that it will support a range of trust 
models. [7] [8] [9] 

In the SPKI world, principals are keys. Delegations are made to a key, not to a key- 
holder or a global name. Thus, an SPKI certificate is closer to a “capability” as defined 
by [16] than to an identity certificate. There is the difference that in a traditional capa- 
bility system the capability itself is a secret ticket, the possession of which grants some 
authority. An SPKI certificate identifies the specific key to which it grants authority. 
Therefore the mere ability to read (or copy) the certificate grants no authority. The cer- 
tificate itself does not need to be as tightly controlled. 

In SPKI terms, a certificate is basically a signed five tuple (I,S,D,A,V) where 

• I is the Issuer’s (signers) public key, or a secure hash of the public key, 

• S is the Subject of the certificate, typically a public key, a secure hash of a pub- 
lic key, a SDSI name, or a secure hash of some other object such as a Java class, 

• D is a Delegation bit, 

• A is the Authorisation field, describing the permissions or other information that 
the certificate’s Issuer grants to or attests of the Subject, 

• V is a Validation field, describing fhe conditions (such as a time range) under 
which the certificate can be considered valid. 

The meaning of an SPKI certificate can be stated as follows: 

Based on the assumption that I has the control over the rights or other information 
described in A, I grants S the rights/property A whenever V is valid. Furthermore, if D 
is true and S is a public key (or hash of a public key), S may further delegate the 
rights A or any subset of them. 
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2.5 Access Control Revisited 

The traditional way of implementing access control in a distributed system has been 
based on authentication and Access Control Lists (ACLs). In such a system, when exe- 
cution is transferred from one node to another, the originating node authenticates itself 
to the responding node. Based on the identity information transferred during the au- 
thentication protocol, the responding node attaches a local identifier, i.e., an user ac- 
count, to the secured connection or passed execution request (e.g., an RPC call). The 
actual access control is performed locally by determining the user’s rights based on the 
local identifier and local ACLs. 

In an authorisation based system everything works differently. Instead of basing ac- 
cess control decisions on locally stored identity or ACL information, decisions are 
based on explicit access control information, carried from node to node. The access 
rights are represented as authorisation delegations, e.g., in the authorisation field of an 
SPKI certificate. Because the certificates form certificate loops, the interpreter of this 
access control information is always the same party that has initially issued it. The 
rights may, though, have been restricted along the delegation path. 

In Sect. 5 we show how this kind of an infrastructure can be effectively extended to 
an environment of mobile agents, represented as downloadable code, that is run on a 
network of trusted and untrusted execution nodes. 



3 An SPKI based Dynamic Security Architecture for JDK 1.2 

As described in more detail in [25], we have extended the JDK 1.2 security architec- 
ture with SPKI certificates. This makes it possible to dynamically modify the current 
security policy rules applied at a specihc Java Virtual Machine (JVM). This dynamic 
modihcation allows an agent running on one trusted JVM to delegate permissions to 
another agent running on another trusted JVM. 

The components of the basic and SPKI extended access control architecture are enu- 
merated in Table 1 and discussed in more detail in Sections 3. 1-3.2. The most relevant 
changes needed to the basic architecture are described in Sect. 3.2. 

Table 1: The parts of the JDK 1.2 access control Architecture 



Class or classes 


The role of the class or classes 


Permission and its subclasses 
ProtectionDomain 
Policy and its subclasses 
AccessController 


Represent different “tickets” or access rights. 
Connects the Permission objects to classes. 
Decide what permissions each class gets. 

The reference monitor. [1] 
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3.1 Access Control in JDK 1.2 

The JDK 1.2 has a new, capability based access control architecture. Java capabilities 
are objects called permissions. Each protected resource in the system has a corre- 
sponding permission object that represents access to the resource. There are typically 
many instances of a given permission, possessed by and thus granting access for differ- 
ent classes. 

Permissions are divided into several subtypes that extend the Permission class. 
Each resource type or category, such as files or network connections, has its own Per- 
mission subclass. Inside the category, different instances of the Permission class corre- 
spond to different instances of the resource. In addition, the programmers may provide 
their own Permission subclasses if they create protected resources of their own. 

Just as in any capability-based access control system, the Java classes must be pre- 
vented from creating permissions for themselves and thus gaining unauthorised access. 
This is done by assigning the classes to protection domains. Each class belongs to one 
and only one protection domain. Each ProtectionDomain object has a PermissionCol- 
lection object that holds the permissions of that domain. Only these permissions can be 
used to gain access to resources. The classes cannot change their protection domain 
nor the PermissionCollection of the domain. Thus, the classes are free to create any 
Permission objects they like, but they cannot affect the access control decisions and 
gain unauthorised access. 

The actual access control is done by an object called AccessController. When a 
thread of execution requests access to a protected resource such as a file, the Access- 
Controller object is asked whether the access is granted or not. To determine this, the 
AccessController checks the execution context to see if the caller and all the previous 
classes in the call chain have the Permission object corresponding to the resource. The 
previous classes in the call chain are checked to ensure that a class does not bypass the 
access control simply by calling another class with more permissions. 

3.2 Policy Management 

A security policy defines the rules that mandate which actions the agents in the system 
are allowed or disallowed to do [1]. Java security policy defines what permissions each 




Fig. 1. Classes, domains and permissions 
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protection domain gets. The objects implementing the security policy management in 
JDK are subclasses of the Policy class. The implementation can be changed easily by 
just creating and installing a new Policy subclass. 

The default policy implementation of JDK 1.2 uses a set of conhguration files to 
define the security policy. This system has several small defects discussed in [21] and 
[25]. Furthermore, this approach makes delegating permissions from a class in one 
JVM to another class in some other JVM virtually impossible, as the delegating party 
should be able to edit the configuration file of the other JVM. We have solved these 
problems by replacing the configuration files with a capability-based policy definition 
that uses SPKI certificates to represent capabilities. 

In our model, the policy manager and the dynamic permission evaluation are 
slightly more complex than in the basic implementation. In the SPKI extended system, 
the main task of the policy manager is to attempt to reduce a set of SPKI certificates to 
form a valid chain from its own key, called the Self key, to the hash of the classes com- 
posing a protection domain, and to interpret the authorisation given by the chain into 
Java Permission objects. This chain reduction includes checking the validity of the cer- 
tificates, checking that all but the last certihcate have the delegation bit set, and inter- 
secting the authorisation helds to get the final authorisation given by the chain. 

In the default JDK implementation, the ProtectionDomains get the permissions 
when they are initialized, and the permissions are not revised after that. We have made 
the policy evaluation more dynamic. When a class tries to access a protected resource, 
the reference monitor asks the protection domain whether it contains the specific per- 
mission required, and the protection domain in turn asks the Policy for the permission. 
The Policy will try to produce a certificate chain reduction that would imply the per- 
mission in question. If it fails, the access is not granted. 

The SPKI drafts propose that the Prover (i.e. the class) is responsible of presenting 
a valid certificate chain to the Verifier (i.e. the Policy) at the time of access request or 
authentication [7]. We argue that this approach does not work with mobile agents. Re- 
quiring that each mobile agent includes the logic for locating all certificates needed to 
access resources is infeasible and counterproductive. Instead, we think that the Policy 
will need to locate the relevant certificates as well as to reduce the certificate chains. 



4 Adding Elliptic Curve Based Certificates to Java 

Java defines and partially implements security related functionality as part of its core 
API. This functionality is collected in the j ava . security package and its subpack- 
ages. To facilitate and co-ordinate the use of cryptographic services, JDK 1.1 intro- 
duced the Java Cryptography Architecture (JCA). It is a framework for both accessing 
and developing new cryptographic functionality for the Java platform. JDK 1.1 itself 
included the necessary APIs for digital signatures and message digests. [7] 

In Java 1.2, JCA has been significantly extended. It now encompasses the cryptog- 
raphy related parts of the Java Security API, as well as a set of conventions and specih- 
cations. Further, the basic API has been complemented with the Java Cryptography 
Extension (ICE), which includes further implementations of encryption and key ex- 
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change functionality. This extension, however, is subject to the US export restrictions 
and is therefore not available to the rest of the world. To fully utilise Java as a platform 
for secure applications, the necessary cryptographic functionality has to be developed 
outside the US. 

4.1 The Java Cryptography Architecture 

One of the key concepts of the JCA is the provider architecture. The key idea is that all 
different implementations of a particular cryptographic service conform to a common 
interface. This makes these implementations interchangeable; the user of any crypto- 
graphic service can choose whichever implementation is available and be assured that 
his application will still function. 

To achieve true interoperability, Java 1.2 defines cryptographic services in an ab- 
stract fashion as engine classes. The following engine classes, among others, have been 
defined in Java 1.2: 

• MessageDigest - used to calculate the message digest (hash) of given data 

• Signature - used to sign data and verify digital signatures 

• KeyPairGenerator - used to generate a pair of public and private keys suitable 
for a specific algorithm 

• CertificateFactory - used to create public key certificates and Certificate Revoca- 
tion Lists (CRTs) 

• AlgorithmParameterGenerator - used to generate a set of parameters to be used 
with a certain algorithm 

A generator is used to create objects with brand-new contents, whereas a factory cre- 
ates objects from existing material. 

To implement the functionality of an engine class, the developer has to create 
classes that inherit the corresponding abstract Service Provider Interface (SPI) class 
and implement the methods defined in it. This implementation then has to be installed 
in the Java Runtime Environment (JRE), after which it is available for use. [7] [8] 

4.2 Implementing an Elliptic Curve Cryptography Provider iu Java 1.2 

In our project we implemented the Elliptic Curve Digital Signature Algorithm 
(ECDSA). The signature algorithm and all the necessary operations are defined in 
IEEE P1363 and ANSI X9.62 drafts. To facilitate the interoperability of different im- 
plementations, Java 1 .2 includes standard names for several algorithms in each engine 
class together with their definitions. ECDSA, however, is not among them. We there- 
fore propose that ECDSA should be adopted in Java 1.2 as a standard algorithm for 
signatures. 

Similarrly with the DSA implementation in JDK 1.2, we have defined interfaces for 
the keys, algorithm parameters (curves) and points. These are used to facilitate the use 
of different co-ordinate representations and arithmetics. Our implementation of 
ECDSA uses prime fields and affine co-ordinates. The mathematics have been imple- 
mented using the Biginteger-class. The Biginteger class is easy to use and flexible as it 
implements several operations necessary for modular arithmetic and provides arbitrary 
precision. The down side is that performance is not optimal. If the key length could be 
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kept small enough, the arithmetic could be based on the long type. The necessary op- 
erations could be based on using a few long type variables for each value. With regu- 
lar elliptic curves, which require a key length of at least 160 bits, this approach might 
be inconvenient, but if hyperelliptic curves were used, the approach could prove feasi- 
ble. 

Even further improvements in performance could be achieved by implementing the 
key mathematic operation in the hardware, e.g., in a mobile host. With the small key 
size of (hyper)elliptic curves, this would not pose unreasonable demands on the proc- 
essor design or memory. 



Extending Java Protection Domains into Distributed Agents 



Flow of trust 
Flow of execution 



The dynamic and distributed nature of the SPKI based Java protection domains, de- 
scribed in Sect. 3, opens up new possibilities for their use. In particular, it is possible to 
dynamically delegate a permission from one domain, executing on one Java virtual 
machine, to another domain, executing on another Java virtual machine. For example, 
when a distributed application requests a service from a server, it might want to allow a 
certain class, an agent, in the server to execute as if it were the user that started the ap- 
plication in the first hand. This ability allows us to view the protection domains not just 
as internal Java properties, but they can be considered to represent active agents that 
are created and executed in the network. 

In order to be able to per- 
form these kinds of functions, 
the domains (or agents) in- 
volved must have local access 
to some private keys, and a 
number of trust conditions must 
be met. The requirement of hav- 
ing access to a private key can 
be easily accomplished by cre- 
ating a temporary key pair for 
each policy domain, i.e., for 
each incarnation of an agent. 

This is acceptable from a secu- 
rity point of view, because the 
underlying JVM must be 
trusted anyway, and so it can be 
trusted to provide temporary 
keys as well. The public tempo- 
rary key can be signed by the 

local machine key, denoting it as belonging to the domain involved. 

To analyze the trust conditions, let us consider the situation depicted in Fig. 2. The 
user U wants to use a protected resource R , located on the server S . However, we as- 
sume that it is not possible or feasible that the user U would have a direct secured con- 




Fig. 2. The user U requests for a service needing the re- 



source R through intermediate nodes N ^ 



,N 



k- 
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nection with 5 . As an example application, the user may he using a mobile terminal 
whose connectivity cannot be guaranteed. So, instead of a direct connection the user’s 
actions are carried out by one or more intermediate nodes N - , each acting on the user’s 
behalf. 

The setting is still slightly more complicated by the assumption that the code that 
actually executes at the server S and the intermediate nodes N ■ consist of independent 
agents, which are dynamically loaded as needed. In practical terms, in our prototype 
these agents are Java class packages (jar files), carrying SPKJ certificates within them- 
selves. The agents are named as for the agent eventually running at the server S , 
and as for the agents running at the intermediate nodes N ^ . 

It is crucial to note that when the execution begins, the user U typically does not 
know the identity of the server S , the intermediate nodes N - , or the agents A^, A- . In- 
stead, she has expressed her confidence towards a number of administrators (described 
below), who in turn certify the trustworthiness of S and N^. Correspondingly, the 
server S has no idea about the user U or the nodes N ■ . Again, it trusts a number of ad- 
ministrators to specify an explicit security policy on its behalf. 

5.1 Trust Requirements 

Since we assume that the nodes in the network do not necessarily nor implicitly trust 
each other or the executable agents, a number of trust conditions must be met and ex- 
plicitly expressed. 

First, from the user’s point of view, the following conditions must be met. 

• The user U must trust the server S to provide the desired service 5^ granting 
access to the resource R . This trust is expressed through a sequence of trust ad- 
ministrators TA-, where the last administrator TA^. confirms that S indeed is a 
server that provides the service 5^ . 

• The user U must trust the agent A ^ , and delegate the right of accessing the re- 
source R to it. However, the actual runtime identity (i.e, the temporary public 
key) of the particular activation of , running on S on the behalf of U on this 
occasion, is not initially known but created runtime. On the other hand, U must 
certify the code of so that it may be loaded on her behalf. 

• The user U must consider each of the intermediate nodes N ^ to be trustworthy 
enough to execute code on and to participate in accessing the resource R on her 
behalf. For simplicity, in this case we have assumed that the trustworthiness of 
the nodes is certified by a single trusf authority TA^, directly trusted by the user 
U. 

• The user U must trust the intermediate agents A - , while running on the nodes 
N-, to execute on her behalf and to participate in the process. Again, the tempo- 
rary public keys of the actual incarnations of the agents are created only at run- 
time. 

From the server’s point of view, a number of similar conditions must be met. 

• The user U must be authorised to access the resource R . Since the resource R is 
controlled by the server S , the source of this authority must be S itself. Typi- 
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cally, this authorisation is achieved through a chain of independent security pol- 
icy administrators PA^ . 

• The server S must trust the intermediate nodes N- to faithfully represent the user 
U ^ This means, among other things, that when an agent is running on any of 
these nodes, S trusts that the node has faithfully created and certihed the tempo- 
rary key pair that represents the agent. For simplicity, we have assumed that the 
server S assumes the user U to be competent enough to determine which nodes 
to trust. Thus, in practice, the certificate chain used to delegate the right to access 
the resource R may be combined with the chain certifying U ’s prohciency in 
determining node trustworthiness. 

5.2 Expressing the Trust Requirements with SPKI Certificates 

Using SPKI certihcates, it is possible to explicitly express the static and dynamic trust 
and delegation relationships. In the following, the appearance of the symbols 
U, S, Nf, TA-, TAj^ and PA- as the issuer or the subject of the certihcates denotes the 
(static) public key of the respective principal. On the other hand, to explicitly commu- 
nicate the dual nature of the agents as dynamically loaded code and dynamically cre- 
ated key pairs that represent them, h{A) denotes a hash code calculated over the code 
of the agent A , and denotes a temporary key that the node N has created for the 
agent A . Furthermore, the symbol R is used to denote the permission to access the re- 
source R . 

Normal SPKI certihcates are represented as 4-tuples (/, 5, D, A ) , where the validity 
held is left out. Correspondingly, SPKI name certihcates are represented as 
{(Ps name), S ) , denoting that the issuer / has hound the name for the principal S . 

User trust requiremeuts. First, U ’s trust on S is represented through a certihcate 
chain Cert. 1 ... Cert. 3. 

(U, TA^, true, Sj^) Cert. 1 

Cert. 2 

(TAj^, S, false, S Cert. 3 

Second, U must further certify that the agents, when run, may use whatever rights 
U has granted to the agents as code. Since U does not know where the agents will be 
run, SPKI certihcates containing indirect naming are used to denote this delegation. 

(U, (U's N's h(A-)), false, act as h{A^) Cert. 4 

where {N's h{A-)) is an SPKI name denoting the running agent A - , running on an 
arbitrary node N , named by U . 

Next, U must certify that the nodes are trustworthy to execute code. U has dele- 
gated this right to TA^ ; thus, a chain of two certihcates is needed for each node. In 
practice, the right of running code on the issuer’s hehalf is represented by a number of 
SPKI naming certihcates that transfer the node name N , used above, from U’s name 

* More generally, the server S must trust the intermediate nodes to faithfully represent any user, or at 
least any user that has the authority and a need to access the resource R . 
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space to the name space of the trust authority TAj^ . The trust authority , on it’s be- 
half, names a specific node N ^ as a node N , which, consecutively, has the authority to 
bind the agent hash h{A j) to a public key. 

{{U's N),{TAj^'s N)) Cert. 5 

{{TAj^'s N\ N.) Cert. 6 

Furthermore, the user U must certify the actual code of the agents . In a real sit- 
uation, this would happen through another certificate chain. However, for simplicity, 
we assume that the user has written the agents herself, and therefore certifies their code 
directly. 

( U, h(A-), true, R) Cert. 7 

Server trust requirements. Similar to the user, the server S must authorise the user 
U to access the resource R , represented as the chain Cert. 8 ... Cert. 10. 

(S, PA^, true, R) Cert. 8 

Cert. 9 

{PAj^, U, true, R) Cert. 10 

Since the user is allowed to directly denote which nodes she trusts, no other certifi- 
cates are needed on the server’s behalf. 

Initial reductions. Reducing Certificates 1-3, one gets the certificate 

(U, S, false, Sjf) Cert. 11 

This is sufficient for the user, and to anybody acting on the user’s behalf, to verify 
that the server S really provides the desired service 5^ , which allows one to access the 
resource R . 

Respectively, reducing the Certificates 4-6, the result is 

{U, (N-'s h(A.)), false, act as h(A-)) Cert. 12 

denoting that the user U has delegated to the agent A- , as named by the node N - , 
the right to use the rights assigned to the agent’s code^. 

5.3 Runtime Behaviour 

The run time permission delegation is advanced step by step, from the user through the 
intermediate nodes to the server. We next describe the initial step, a generic intermedi- 
ate step, and the final step at the server. 

Initiation of action. As the user U initiates her access, she contacts the first interme- 
diate node . The node loads the agent Aj , generates a temporary key ^ for the 
agent, and creates an SPKl name certificate (Cert. 13) to name the agent. 

((Nfsh(Af)),K^^j^^) Cert. 13 



The reader should notice that this, naturally, allows N- to delegate this right to itself. However, this is 
acceptable and inevitable, as the node N- is trusted for creating and signing the agent’s public key. 
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Reducing this with Cert. 12 gives the newly created key the acting right. 

{U, , false, act as h(A-)) Cert. 14 

Combining this, on the semantic level\ with Certihcates 7-10, results in the crea- 
tion of Cert. 15 that hnally denotes that the newly created key has the S delegated per- 
mission to access R , and to further delegate this permission. 

(5, true, R) Cert. 15 

Intermediate delegation. Let us next consider the situation where the node has 
gained the access right. 



(S,K, ^,true,R) Cert. 16 

/Ip iV j- 

The node initiates action on the next node, + j , that launches and names the 
agent running on it. 

{{N^ ^ fs h{A. ^ ^)), Cert. 17 

Reducing this with the chain leading to Cert. 12 results in 



{ U,K, ^ , false, act as h(A- A) Cert. 18 

■^i+ 1’ ■'’^ 1 + 1 I -r L 

Having this, together with the Cert. 12 chain, A^ can be sure that it is fine to dele- 
gate the right expressed with Cert. 16 further to . 

true,R) Cert. 19 

Combining Cert. 19 with Cert. 16 results in 



(S,K. ^ ,lrue,R) 

+ 1’ I + 1 



Cert. 20 



which effectively states that A-^^, running on node j , is permitted to access 
the resource R and to further delegate this permission. 



Final step. In the beginning of the hnal step, agent A^j, , executing on node N ^. , has 
gained the right to access R . 



{ S, K, 



true, R) 



Cert. 21 



Agent Aj. now launches agent A^ to run on the server S . S creates a temporary key 



for the agent, and publishes it as a certificate. 

(( 5'5 h{A^)),K^) 

Again, combining this with the Cert. 12 chain gives 
{U, , false, act as h{Af)) 



Cert. 22 



Cert. 23 



which allows the agent A^. to decide to delegate the right to access the resource R . 



false, R) 



Reducing Cert. 24 with Cert. 21 results in Cert. 25. 

{S, , true, R) 



Cert. 24 



Cert. 25 



With semantic level we mean here that mere syntactic SPKI reduction is not enough, but that the in- 
terpreter of the certificates must interpret the expression “act as h(A-) “. 
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The final certificate, Cert. 25, can now be trivially closed into a certificate loop by 
S , since S itself has created the key AT ^ , and therefore can trivially authenticate it. In 
other words, this can be seen easily to reduce into a virtual self-certificate Cert. 26. 

(5, S, false, R) Cert. 26 

Cert. 26, closed on the behalf of the agent , finally assures the server S that the 
agent does have the right to access the protected resource R . 

5.4 Preserving Privacy 

Using SPKl Certificate Reduction Certificates (CRC) provides the user U a simple 
way to stay anonymous while still securely accessing the resource R . If any of the pol- 
icy administrators PA^ on the trust path leading from S to 1/ is available online and 
willing to create CRCs, the user can feed it the relevant items of Cert. 9, Cert. 10, and 
Certs 4-6 and Cert. 7. This allows the policy administrator PA- to create CRCs 
Cert. 27 and Cert. 28, for Certs 4-6 and Cert. 7, respectively. 

(PA., {N ^s false, act as h(A-)) Cert. 27 

(PA-, h(A-), true, R) Cert. 28 

Then, in the rest of the algorithm. Cert. 27 is used instead of Cert. 12, and Cert. 28 
is used instead of Cert. 7. Using this technique, other nodes than iVj do not see U ‘s 
key at all. The only identity information they can infer is that the user who effectively 
owns the computation is some user whom PA- has directly or indirectly delegated the 
permission to access the resource R . 

To further strengthen privacy, PA- may encrypt parts of the certificates that it is- 
sues. Since these certificates will be used by PA- itself for creating CRCs only, nobody 
else but PA^ itself needs to be able to decrypt the encryption. This makes it virtually 
impossible to find out the identities of the users that PA- has issued rights in the first 
place. 



6 Implementing the Architecture 

We are building a JDK 1.2 based prototype, where distinct JVM protection domains 
could delegate Java Permission objects, in the form of SPKI certificates, between each 
other. At this writing (September 1998), we have completed the integration of SPKI 
certificates to the basic JVM security policy system [25], implemented the basic func- 
tionality of ECDSA in pure Java [15], and integrated these two together so that the 
SPKI certificates are signed with ECDSA signatures, yielding improved performance 
in key generation. 

Our next steps include facilities for transferring SPKI certificates between the Java 
Virtual Machines, and extending the Java security policy objects to recognize and sup- 
port dynamically created delegations. Initially, we plan to share certificates through the 
file system between a number of JVMs running as separate processes under the UNIX 
operating system. 




Preserving Privacy in Distributed Delegation with Fast Certificates 



151 



In addition, we are building a prototype of the ISAKMP [18] security protocol 
framework. This will allow us to create secure connections between network separated 
JVMs. The ISAKMP also allows us to easily transfer SPKI certificates and certificate 
chains between the virtual machines. 

In order to support dynamic search and resolving of distributedly created SPKI cer- 
tificate chains [3], we are integrating the Internet Domain Name System (DNS) certifi- 
cate resource record (RR) format into our framework. This will allow us to store and 
retrieve long living SPKI certihcates in the DNS system [22]. 



7 Conclusions 

In this paper we have shown how authorisation certificates combined with relatively 
fast, elliptic curve based public key cryptography can he used to dynamically delegate 
authority in a distributed system. We analyzed the trust requirements of such a system 
in a fairly generic setting (Sect. 5.1), illustrated the details of how these trust require- 
ments can be represented and verihed with SPKI certificates (Sect. 5.2), and explained 
how the agents delegate permissions at run time by creating new key pairs and certih- 
cates. Finally, we outlined how the system can be utilized in a way that the user’s iden- 
tity is kept anonymous while still keeping all authorisations and connections secure 
(Sect. 5.4). 

We are in the process of implementing a prototype of the proposed system. At the 
moment, we have completed the basic integration of SPKI certihcates into the JDK 1.2 
access control system (Sect. 3) and our hrst pure Java implementation of the ECDSA 
algorithms (Sect. 4). The next step is to integrate these with a fully distributed certih- 
cate management and retrieval system. The resulting system will allow distributed 
management of distributed systems security policies in fairly generic settings. In our 
view, the system could be used, e.g., as an Internet wide, organization borders crossing 
security policy management system. 
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Abstract. This paper presents some new unknown key-share attacks 
on STS-MAC, the version of the STS key agreement protocol which 
uses a MAC algorithm to provide key confirmation. Various methods are 
considered for preventing the attacks. 



1 Introduction 

Key establishment is the process by which two (or more) entities establish a 
shared secret key. The key may subsequently be used to achieve some crypto- 
graphic goal, such as confidentiality or data integrity. Ideally, the established 
key should have precisely the same attributes as a key established face-to-face 
— for example, it should be shared by the (two) specified entities, it should be 
distributed uniformly at random from the key space, and no unauthorized (and 
computationally bounded) entity should learn anything about the key. 

Key establishment protocols come in various flavors. In key transport proto- 
cols, a key is created by one entity and securely transmitted to the second entity, 
while in key agreement protocols both parties contribute information which is 
used to derive the shared secret key. In symmetric protocols the two entities a 
priori possess common secret information, while in asymmetric protocols the two 
entities share only public information that has been authenticated. This paper 
is concerned with two-party key agreement protocols in the asymmetric setting. 

Unfortunately, the requirement that key agreement protocols have the same 
properties as face-to-face key establishment is too vague to be much help to pro- 
tocol designers, who instead focus on designing protocols to meet more explicit 
requirements. Implicit key authentication and key confirmation are two explicit 
requirements that are often considered essential. 

Let A and B be two honest entities, i.e., legitimate entities who execute the 
steps of a protocol correctly. Informally speaking, a key agreement protocol is 
said to provide implicit key authentication (of B to A) if entity A is assured 
that no other entity aside from a specifically identified second entity B can 
possibly learn the value of a particular secret key. Note that the property of 
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implicit key authentication does not necessarily mean that A is assured of B 
actually possessing the key. A key agreement protocol which provides implicit 
key authentication to both participating entities is called an authenticated key 
agreement (AK) protocol. 

Informally speaking, a key agreement protocol is said to provide explicit key 
confirmation (of B to A) if entity A is assured that the second entity B has ac- 
tually computed the agreed key. The protocol provides implicit key confirmation 
if A is assured that B can compute the agreed key. While explicit key confirma- 
tion appears to provide stronger assurances to A than implicit key confirmation 
(in particular, the former implies the latter), it appears that, for all practical 
purposes, the assurances are in fact the same. That is, the assurance that A re- 
quires in practice is merely that B can compute the key rather than that B has 
actually computed the key. Indeed in practice, even if a protocol does provide 
explicit key confirmation, it cannot guarantee to A that B will not lose the key 
between key establishment and key use. Thus it would indeed seem that implicit 
key confirmation and explicit key confirmation are in practice very similar. 

If both implicit key authentication and (implicit or explicit) key confirma- 
tion (of B to A) are provided, then the key establishment protocol is said to 
provide explicit key authentication (of B to A). A key agreement protocol which 
provides explicit key authentication to both participating entities is called an 
authenticated key agreement with key confirmation (AKC) protocol. 

In addition to implicit key authentication and key confirmation, a number of 
other desirable security attributes of key agreement protocols have been iden- 
tified including known-key security, forward secrecy, key-compromise imperson- 
ation, and unknown key-share. These are typically properties possessed by face- 
to-face key establishment which may be more or less important when a key 
establishment protocol is used to provide security in real-life applications. 

An unknown key-share (UKS) attack on an AK or AKC protocol is an attack 
whereby an entity A ends up believing she shares a key with B, and although 
this is in fact the case, B mistakenly believes the key is instead shared with an 
entity E ^ A. The significance of UKS attacks on AK and AKC protocols is 
further discussed in 

This paper presents some new on-line UKS attacks on STS- MAC, the variant 
of the station-to-station (STS) Q AKC protocol which uses a MAC to provide 
key confirmation. For an extensive survey on key establishment, see Chapter 
12 of {3- I^or a recent survey on authenticated Difhe-Hellman key agreement 
protocols, see |3. Formal definitions of authenticated key agreement can be 
found for the symmetric setting in Q and for the asymmetric setting in Q. 

The remainder of this paper is organized as follows. The STS protocol is 
described in Q In present the new on-line UKS attacks on STS-MAC, 

and consider ways of preventing the attacks. In B examine the plausibility 
of an assumption regarding signature schemes that is required in order for the 
attacks to succeed. B^^kes concluding remarks. 
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2 Description of STS 



The station-to-station (STS) protocol is a Diflie-Hellman-based AKC pro- 
tocol that purports to provide both (mutual) implicit key authentication and 
(mutual) key confirmation, and additionally appears to possess desirable secu- 
rity attributes such as forward secrecy and key-compromise impersonation. The 
STS protocol, as described in t J''| , provides (explicit) key confirmation by using 
the agreed key AT in a symmetric-key encryption scheme; we call this protocol 
STS-ENC. A variant of STS mentioned in which we call STS-MAC, provides 
(explicit) key confirmation by using the agreed key AT in a MAC algorithm. 

STS-MAC may be preferred over STS-ENC in many practical scenarios be- 
cause of existing export or usage restrictions on secure encryption. Moreover, 
the use of encryption to provide key confirmation in STS-ENC is questionable 
— traditionally the sole goal of encryption is to provide confidentiality and if an 
encryption scheme is used to demonstrate possession of a key then it is shown 
by decryption, not by encryption. One advantage of STS-ENC over STS-MAC 
is that the former can facilitate the provision of anonymity. 

Many protocols related to STS have appeared in the literature (e.g., 0, 

I ) . It should be noted, however, that these protocols cannot be considered to 
be minor variants of STS — as this paper shows, the former protocols have some 
security attributes that are lacking in STS. 

The following notation is used throughout the paper. 



Notation 



A, B Honest entities. 

E The adversary. 

Sa A’s (private) signing key for a signature scheme S. 

Pa A’s (public) verification key for S. 

Sa{M) A’s signature on a message M. 

Certyi A’s certificate containing A’s identifying information, A’s pub- 
lic signature key Pa, and possibly some other information. 

Ek{M) Encryption of M using a symmetric- key encryption scheme 
with key AT. 

MAC if (M) Message authentication code of M under key K. 

G, a, n Difhe-Hellman parameters; a is an element of prime order n 
in the finite multiplicative group G. 

TA A’s ephemeral Difhe-Hellman private key; 1 < < n — 1. 

K Ephemeral Difhe-Hellman shared secret; K = . 



The two STS variants are presented below (see also In both de- 

scriptions, A is called the initiator, while B is called the responder. 



STS-MAC Protocol. The STS-MAC protocol is depicted below. Initiator A 
selects a random secret integer 1 < < n — 1, and sends to B the message 

(1). Upon receiving (1), H selects a random secret integer r^, 1 < < n — 1, 

computes the shared secret K = , and sends message (2) to A. Upon 

receiving (2), A uses Certs to verify the authenticity of B’s signing key Pb, 
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verifies B’s signature on the message (a’'® , computes the shared secret 
K = and verifies the MAC on A then sends message (3) 

to B. Upon receipt of (3), B uses Cert^ to verify the authenticity of A’s signing 
key Pa, verifies A’s signature on the message and verifies the MAC 



on Sa{oA^. 




If at any stage a check or verification performed by A or if 


fails, then that entity terminates the protocol run, and rejects. 


(1)A- 


^ B 


A, 


(2)A- 


- B 


Certs, a’'®, S’s(a’'® , MACif(S'B(a’'s, 


(3) A- 


* B 


CertA, SA{d^^,d^^), MAC k {S A{d^ ,d^^)) 


STS-ENC Protocol. The STS-ENC protocol is given below. For the sake of 
brevity, the checks that should be performed by A and B are henceforth omitted. 


(1)A- 


> B 


A, 


(2)A- 


- B 


Certs, a’'®, UK(S's(a’'®, 


(3) A- 


^ B 


CertA, EK{SA{a-^^,a^^)) 



3 Unknown Key-Share Attacks 

An unknown key-share (UKS) attack on a key agreement protocol is an attack 
whereby an entity A ends up believing she shares a key with B, and although 
this is in fact the case, B mistakenly believes the key is instead shared with an 
entity if A. In this scenario, we say that B has been led to false beliefs. If 
B is the protocol’s initiator, then the attack is called a UKS attack against the 
initiator. Otherwise, the attack is called a UKS attack against the responder. 

It is important to note that if an AK or AKC protocol succumbs to a UKS 
attack in which if is a dishonest entity (this is the case with the attacks presented 
in this paper), then this does not contradict the implicit key authentication prop- 
erty of the protocol — by definition, the provision of implicit key authentication 
is only considered in the case where B engages in the protocol with an honest 
entity (which E isn’t). 

An attack scenario. A hypothetical scenario where a UKS attack can have 
damaging consequences is the following; this scenario was first described in . 
Suppose that if is a bank branch and A is an account holder. Certificates are 
issued by the bank headquarters and within each certificate is the account infor- 
mation of the holder. Suppose that the protocol for electronic deposit of funds is 
to exchange a key with a bank branch via an AKC protocol. At the conclusion 
of the protocol run, encrypted funds are deposited to the account number in 
the certificate. Suppose that no further authentication is done in the encrypted 
deposit message (which might be the case to save bandwidth) . If the UKS attack 
mentioned above is successfully launched then the deposit will be made to if’s 
account instead of A’s account. 

Another attack scenario. Another scenario where a UKS attack can be 
damaging is the following. Suppose that B controls access to a suite of sensitive 
applications (e.g. salary databases). Each application has a password associated 
with it. The password is chosen and securely distributed by a CA to B and 
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to all entities entitled to access that application. The CA also certifies public 
keys of all potential users of one (or more) of the applications. A user A gains 
access to an application by supplying to B the password that is specific to that 
application. This can be done securely as follows. When A wants to gain access 
to the application, she and B engage in a single run of an AKC protocol to 
establish shared keys Ki and K 2 (Ki and K 2 are derived from the shared secret 
established). A then authenticates and encrypts the password using the keys 
and sends the result to B. B checks the encrypted authenticated password and 
supplies access to A. Once access has been granted, the application establishes 
new keys with A to secure the subsequent use of the application. 

If the AKC protocol does not provide unknown key-share, an active adversary 
E can induce B into believing that he shares the keys Ki and K 2 with E, while A 
correctly believes that she shares the keys with B. E may then use the encrypted 
authenticated password sent by A to gain access to the application. 

Significance of UKS attacks. The importance of preventing UKS attacks 
has been debated in the literature. It is interesting to note that prevention of 
UKS attacks was one of the original design principles of STS Here we make 
two observations about the relevance of UKS attacks. First, notice that tradi- 
tional, face-to-face key establishment is not susceptible to UKS attacks. There- 
fore anyone implementing a key establishment protocol that does not prevent 
UKS attacks as a drop-in replacement for face-to-face key establishment must 
check whether UKS attacks represent a security concern in the application. Sec- 
ond, notice that a UKS attack on an AKC protocol is more serious than a UKS 
attack on an AK protocol (which does not provide key confirmation). As stated 
in Q, keys established using AK protocols should be confirmed prior to crypto- 
graphic use. Indeed, some standards such as Q take the conservative approach 
of mandating key confirmation of keys agreed in an AK protocol. If appropriate 
key confirmation is subsequently provided, then the attempt at a UKS attack 
will be detected. For this reason, the above hypothetical banking scenario (in 
particular, the assumption that no further authentication is performed after ter- 
mination of the key agreement protocol) is realistic if an AKC protocol is used 
(since key confirmation has already been provided), and unrealistic if an AK 
protocol is used (since key confirmation has not yet been provided). 

The remainder of this section discusses UKS attacks on STS-MAC and STS- 
ENC. (^3 describes well-known public key substitution UKS attacks (for ex- 
ample, see ^3^9)’ These attacks can be prevented if a CA checks possession 
of private keys during the certification process. presents new on-line UKS 
attacks on STS-MAC that are not prevented simply by checking knowledge of 
private keys during certification. It suggests other methods which may be used 
to prevent the new attacks. The attacks are similar in spirit to Kaliski’s recent 
attack 33 on the AK protocol of 33 — however the attacks we present are 
more damaging because, unlike Kaliski’s attack, they are not prevented by ap- 
propriate key confirmation. Finally, in )^3we consider possible UKS attacks on 
STS-ENC which may not be prevented by checking knowledge of private keys 
during certification. The attacks in ^^Jare considerably more far-fetched than 
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the attacks in but they demonstrate the value of public-key validation and 
formal protocol analysis. 

3.1 Public Key Substitution UKS Attacks 

This section describes well-known public key substitution UKS attacks on STS- 
MAC and STS-ENC. 

Attack Against the Responder. In this UKS attack against the responder, 
the adversary E registers A’s public key Pa as its own; i.e., Pe = Pa- When 
A sends B message (1), E intercepts it and replaces the identity A with E. E 
then passes message (2) from B to A unchanged. Finally E intercepts message 
(3), and replaces Cert^ with Cert^;. Since Pa = Pe, we have SA{oA^,a''^) = 
SEioA'^ Hence B accepts the key K and believes that K is shared with 

E, while in fact it is shared with A. Note that E does not learn the value of K. 
The attack is depicted below. The notation A ^ B means that A transmitted 
a message intended for B, which was intercepted by the adversary and not 



delivered to B. 




(1) A 


B 


A, 


{V)E 


B 


E, 


(2) E 


^ B 


Certs, MACiy(S's(a’'® , 


{T)A 


^ E 


Certs, o’'®, MACs-(S's(a’'s , 


(3) A 


^ B 


CertA, SA{a^^,a^^), MACK{SA{a^^ , a^^)) 


(3’)E 


B 


Certs, SAW^,a^^), MAC k{S A ia'' , a^^)) 


Attack Against the Initiator. E can similarly launch a UKS attack against 


the initiator A by 


registering B’s public Pb as its own. The attack is depicted 


below. 






(1) A 


E 


A, 


{V)E 


B 


A, 


(2) A 


^ B 


Certs, o’'®, SB(a^^,a^^), MACs(5's(a’'® , 


(2’) A 


^ E 


Certs, o’'®, SB{a^^,a^'^), MACs^^sK®, 


(3) ^ 


E 


CertA, MAC k {S Aia'' , a'' ^)) 


(3’)E 


B 


CertA, SA{a'^^,a''^), MAC k{S aIo'' , a'' ^)) 



Preventing the Attacks. Both these public key substitution attacks are 
well-known and are usually prevented by requiring that entities prove to the 
certificate-issuing authority possession of the private keys corresponding to their 
public keys during the certification process. The attacks can also be launched 
against STS-ENC; it this case, an alternate way to prevent the attacks is to 
encrypt certificates using the shared key K. 

3.2 On-line UKS Attacks on STS-MAC 

This section describes the new on-line UKS attacks on STS-MAC. The following 
assumptions are made in order for the attacks to be effective. 
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1. The signature scheme S used in STS has the following duplicate- signature 
key selection property. Suppose that Pa (^’s public key) and A’s signature 
SA on a message M are known. Then the adversary is able to select a key pair 
(Pe, Se) with respect to which sa is also E’s signature on the message M. 
The plausibility of this assumption is examined in ^ where it is shown that 
the RSA, Rabin, ElGamal, DSA and ECDSA signature schemes all possess 
the duplicate-signature key selection property in certain situations. 

2. E is able to get its public key certified during a run of the STS protocol. 
This assumption is plausible, for instance, in situations where delays in the 
transmission of messages are normal, and where the CA is on-line. 



Attack Against the Responder. This new UKS attack on STS-MAC is 
similar to the public key substitution attack against the responder in After 
A sends message (3), E intercepts it and selects a key pair {Pe,Se) for the 
employed signature scheme such that Se{oA^ = SA{oA^,a^^). E then 

obtains a certificate Certs for Pe, and transmits message (3’) to B. 

Attack Against the Initiator. This new UKS attack on STS-MAC is similar 
to the public key substitution attack against the initiator in After B sends 
message (2), if intercepts it and selects a key pair {Pe,Se) for the employed 
signature scheme such that Se{cE^ = Sb{cE^ E then obtains a 

certificate Certs for Pe, and transmits message (2’) to A. 

Preventing the Attacks. In the on-line UKS attacks, the adversary knows the 
private key Se corresponding to its chosen public key Pe- Hence, unlike the case 
of the public key substitution attacks, the on-line attacks cannot be prevented 
by requiring that entities prove to the certificate-issuing authority possession 
of the private keys corresponding to their public keys during the certification 
process. 

The following outlines some measures that can be taken to prevent the on-line 
UKS attacks on STS-MAC. 

1. If A sends its certificate Cert^ in flow (1) rather than in flow (3), then the 
on-line UKS attack against the responder cannot be launched; however the 
on-line UKS attack against the initiator still succeeds. 

2. If certificates are exchanged a priori, i.e., prior to the protocol run, then the 
on-line UKS attacks fail. A priori exchanges of certificates may be undesirable 
in practice because it increases the number of protocol flows. 

3. Including the identities of the sender and intended receiver as well as the flow 

numbei| in the messages being signed prevents the on-line UKS attacks. 
Inclusion of the flow number and the identity of the message sender may 
help guard against attacks yet to be discovered. (See ^3 example 

^ In this paper, we assume that message fields such as flow numbers, identities, and 
group elements, are represented using fixed-length encodings and concatenated. Oth- 
erwise, some other unique prefix- free encoding such as ASN.l DER ^3 | should 

be used. 
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of how inclusion of flow numbers can help guard against certain attacks 
on entity authentication mechanisms.) These modifications add negligible 
computational overhead to the protocol and follow the generic philosophy 
expounded in Q and The revised protocol is shown below. 

(2) A^ B Certs, a’'®, S's(2, A, a’'®, 

MACic(5s(2,B,A, 

(S) A^ B CertA, A, B, , a^^), MACk{Sa(S, A, B, , a^^)) 
4. In the original STS-MAC protocol and the modification presented in itemj 
above, the agreed key K is used as the MAC key for the purpose of providing 
explicit key confirmation. A passive adversary now has some information 
about K — the MAC of a known message under K. The adversary can use 
this to distinguish K from a key selected uniformly at random from the key 
spac^ The elegant general principle that in the face of a computationally 
bounded adversary a computationally indistinguishable key can later be used 
in place of a traditional face-to-face secret key anywhere without sacrificing 
security can therefore not be applied (and security must be analyzed on a 
case-by-case basis) . Another drawback of providing explicit key confirmation 
in this way is that the agreed key K may be subsequently used with a 
different cryptographic mechanism than the MAC algorithm — this violates 
a fundamental cryptographic principle that a key should not be used for 
more than one purpose. 

An improvement, therefore, is to provide implicit, rather than explicit, key 
confirmation. Two keys K and K' are derived from using a cryp- 

tographic hash function H. In practice, this can be achieved by setting 
K\\K' = or K = and K' = K' is 

used as the MAC key for the session, while K is used as the agreed session 
key. The revised protocol is depicted below. 



(1)^- 


^ B 


A, 


(2) Ae- 


- B 


Certs, W®, SB{2,B,A,a^^,a^'^), 






MAC k'{Sb (2, B, A, )) 


(3) A- 


B 


CertA, 5^(3, A,H, MACic/(S'A(3, A, H, W®)) 



We imagine that this protocol (and also the protocol in item 6 below) can 
be analyzed by modeling the hash function H as a, random oracle Q. 

5. Instead of including the identities of the entities in the signed message, one 
could include them in the key derivation function, whose purpose is to derive 
the shared key from the shared secret In the protocol of itemH the 

shared secret key would be AT = , A, B), while in the 2 protocols 

of itemj the shared keys would be (i) K\\K' = , A, B) and (ii) 

AT' = A,B) and K = H{10, , A, B). 

However, key derivation functions have not been well-studied by the crypto- 
graphic community. In particular, the desirable security properties of a key 
derivation function have not yet been specified. For this reason, the proto- 
cols presented in itemsHandHs'i'e preferred over the variants which include 
identities in the key derivation function. 

The key space here is Ai = {a* : 1 < i < n — 1}. 



2 
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6. The protocols in item | provide implicit key confirmation. While the assur- 
ance that the other entity has actually computed the shared key K is not 
provided, each entity does get the assurance that the other has computed the 
shared secret . Implicit key confirmation is still provided (to a some- 

what lesser degree) if the MACs are not included in the flows. The revised 
protocol is shown below: 



(1) A- 


^ B 


A, 


(2) A^ 


- B 


Certs, a’'®, S's(2, R, A, a’'®, a’'^) 


(3) A- 


^ B 


Cert A, 5^(3, A,R,a’'^,a’'s) 



7. ISO 1 1770-3 has one variant each of the STS-ENC and STS-MAC protocols 
— these are included as “Key agreement mechanism 7” in Both these 
variants resist the on-line UKS attacks. The ISO variant of STS-MAC, which 
we call ISO-STS-MAC, is the following: 

(1) B A, 

(2) A^ B Certs, a’'®, S’s(a’'®, A), MACif(a’'s, A) 

(3) A^ B Cert^, SA{a^^ , B), MACK{a^^ , , B) 

Notice that, unlike the original description of STS-MAC, identities of the 
intended recipients are included in the signatures in ISO-STS-MAC. This 
was apparently done in order to be conformant with the entity authentication 
mechanisms in ISO 9798-3 rather than because of a security concern 
with STS without the inclusion of identities. Another difference between 
ISO-STS-MAC and STS-MAC is that in the former the MAC algorithm is 
applied to the message that is signed, rather than to the signature of the 
message. 

We note that Bellare, Canetti and Krawczyk | have recently provided a 
model and security definitions under which ISO-STS-MAC without the in- 
clusion of the MACs is provably secure. How their model compares with the 
model of | is not entirely clear. 



3.3 Other UKS Attacks 

The on-line UKS attacks of ^3 cannot, in general, be launched on STS-ENC 
because the signatures Sa{cA^ and Sb{cA ^ are not known by the 

adversary. Is it possible to extend the attacks to provide UKS attacks on STS- 
ENC that cannot be prevented by checking knowledge of private keys during 
certification? This section suggests a possible (although unlikely) scenario in 
which such (off-line) attacks on STS-ENC (and STS-MAC) may be successful. 
The attack illustrates two points: 

1. A complete description of STS-ENC should include a complete specification 
of the underlying symmetric-key encryption and signature schemes, together 
with a statement of the security properties they are assumed to possess; and 

2. Performing public- key validation Q of signature keys is a sensible measure 
to take. (Rationale for performing key validation of public keys for use in 
Diffie-Hellman-based key agreement protocols is provided in ^J.) 
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The attack is similar to the attack presented in but relies on the following 
assumption on the signature scheme: E is able to certify a key pair (Pg, Se) such 
that A’s signature on any message M is also valid as P’s signature on message 
M . Note that deterministic signature schemes cannot possess this property and 
be secure, since E knows Se and can therefore compute A’s signatures using 
Se- However it is possible that some probabilistic signature schemes possess this 
property. This is illustrated by the following example. 

Suppose that the underlying signature scheme is the ElGamal signature 
scheme (see Suppose that entities select their own domain parameters 

p and g, as may be the case in high security applications. Suppose further that 
when certifying an entity P’s public key Pe = {p, g, y) (where y = (mod p) 
and e is P’s private key), the CA does not perform public- key validation; that is, 
the CA does not verify that p, g and y possess the requisite arithmetic properties 
— that p is prime, g is a generator of Z*, and 1 < y < p — 1. Finally, suppose 
that the CA verifies that P possesses the private key corresponding to its public 
key by asking P to sign a challenge message. 

If a dishonest entity P selects g = 0 (which is not a generator of h*), then 
y = 0. In this case, every pair of integers (r, s), where I < r < p — I and 
I<s<p — 2, isa valid signature for P on any message M since the ElCamal 
signature verification equation (see y"* = y’’r® (mod p) is satisfied. In 

particular, if the CA does not validate P’s public key, then it will accept P’s 
proof of possession of its private key. 

Having obtained a certificate Cert^; of such an invalid public key Pe = 
(p, 0, 0) (where the prime p is greater than the prime moduli of A and B), E can 
now launch UKS attacks against the responser or the initiator in both STS-ENC 
and STS-MAC in exactly the same way as described in For example, in the 
attack against the initiator, P replaces A’s identity with its own identity in flow 
(1), and then replaces Cert^ with Certg in flow (3). Note that these are not on- 
line attacks since P can get its public key certified in advance of the attack. Note 
also that these attacks are different from the public key substitution attacks of 
because in the former P has indeed demonstrated possession of its private 
key to the CA during the certification process. 

As precautionary measures, we recommend that public-key validation of sig- 
nature keys be performed, and that STS-ENC be modified so that either the flow 
number and identities of the sender and intended recipient are included in the 
signed messag^ or that the identities be included in the key derivation function 
(as in itemBin 

4 Duplicate-Signature Key Selection 

This section examines whether commonly used signature schemes possess the 
duplicate-signature key selection property that is required in 1^3 given A’s 

® The resulting revised protocols are the same as the ones presented in items | 
andjin ^Hwith the data (S'A(m), MACk (S'A(m))) replaced by Px(S'A(m,)), and 
(S's(m), MACif(S's(m))) replaced by EK{SB{m)). 
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public key Pa for a signature scheme S', and given A’s signature on a message 
M, can an adversary select a key pair (Pe, Se) for S such that sa is also P’s 
signature on the message Ml We demonstrate that, in certain circumstances, 
the RSA Rabin ElGamal DSA and ECDSA Q signature 

schemes all possess this property. In the RSA scheme, it is assumed that each 
entity is permitted to select its own encryption exponent e. In the ElGamal, DSA 
and EGDSA schemes, it is assumed that entities are permitted to select their 
own domain parameters; this is what might be done in high security applications. 

It must be emphasized that possession of the duplicate-signature key selection 
property does not constitute a weakness of the signature scheme — the goal of a 
signature scheme is to be existentially unforgeable against an adaptive chosen- 
message attack ^ 3 . 

In the following, H denotes a cryptographic hash function such as SHA-1 



4.1 RSA 

Key pair: A’s public key is Pa = {N, E), where A is a product of two distinct 
primes P and Q, and I < E < 'P, gcd(P, P) = 1, where P = {P — 1){Q — 1). A’s 
private key is D, where 1 < D < P and ED = 1 (mod P). 

Signature generation: To sign a message M, A computes m = H{M) and 
s — mP mod N . A’s signature on M is s. Here, El may also incorporate a 
message formatting procedure such as the ones specified in the ANSI X9.3I Q, 
FDH and PSS Q variants of RSA. 

Signature verification: Given an authentic copy of A’s public key, one can 
verify A’s signature s on M by computing m = El (M), and verifying that = m 
(mod N). 

Adversary’s actions: Given A’s public key Pa and A’s signature s on M, E 
does the following. 

1. Gompute m = H{M). 

2. Select a prime p such that: 

(a) p — I is smooth; and 

(b) s and m are both generators of Z*. 

3. Select a prime q such that: 

(a) pq > N- 

(b) q — I is smooth; 

(c) gcd(p - 1, g - 1) = 2; and 

(d) s and m are both generators of Z*. 

4. Since p — 1 is smooth, E can use the Pohlig-Hellman algorithm to effi- 
ciently find an integer Xi such that = m (mod p). 

5. Similarly, since g — 1 is smooth, E can efficiently find an integer X 2 such that 

= m (mod g). 

6. Gompute n = pq, 4> = {p — l)(g — 1), and A = 4>/2. 
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7. Find the unique integer e, 1 < e < A, such that e = xi (mod (p — 1)) and 
e = X 2 (mod {q — 1)). This can be done by first solving the congruence 

t{p - l)/2= {x 2 - Xi)/2 (mod(g-l)/2) 

for t (note that X 2 — xi is indeed even), and then setting e = xi + t{p — 
1) mod A. Note also that since m is a generator of Z*, we have gcd(a;i,p— 1) = 
1; similarly gcd(a; 2 , g — 1) = 1. If follows that gcd(e, (j)) = 1. 

8. Compute an integer d, 1 < d < (j), such that ed=l (mod (j)). 

9. E forms Pe = {n, e); E's private key is d. 

Observe that s is also E’s signature on M since 

s" = s" = m (mod p) 

and 

s® = s® (9-1) = ^ (jnod 9), 

whence 

= m (mod n). 



Remarks 

1. The following is a heuristic analysis of the expected number of candidate p’s 
and q’s that are chosen before primes satisfying the conditions in stepsfland 
Hare found. 

Suppose that the desired bitlength of both p and q is k. Candidates p and q 
can be selected by first choosing p—1 and g — 1 to be products of small prime 
powers (thus ensuring conditions 2(a) and 3(b)); the primes occurring in the 
two products should be pairwise distinct, except for a 2 which occurs exactly 
once in each product (this ensures that gcd(p— 1, g — 1) = 2). The candidate p 
is then subjected to a primality test. By the prime number theorem Fact 
2.95], the expected number of trials before a prime p is obtained is (^ ln2)fc. 
Given that p is prime, the probability that both m and s are generators of 
Z* is (see Fact 2.102]) 

/ 1 

(p—1) ) \61nln(p— 1) 

If either m or s does not generate Z*, then another candidate p is selected. 
Hence, the expected number of trials before an appropriate p is found is 

^-ln2^ fc(61nln(p— 1))^ = 0(fc(lnfc)^). 

It follows that the expected number of candidates p and q before appropriates 
primes are found is also 0{k{lnk)^). 

2. Observe that (n, e) is a valid RSA public key, and that E knows the corre- 
sponding private key d. 
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3. To reduce the amount of on-line work required, the adversary could use 
A’s public key to precompute several candidate pairs of primes p and q 
which satisfy conditions 2(a), 3(a), 3(b), and 3(c). Subsequently, when the 
adversary sees A’s signature s on M, it can choose a precomputed pair of 
primes which also satisfy conditions 2(b) and 3(d). 



4.2 Rabin 

Key pair: A’s public key is Pa = N, where TV is a product of two distinct 
primes P and Q. A’s private key is (P, Q). 

Signature generation: To sign a message M, A computes m = H{M), and 
finds a square root s of m modulo N-. = m mod N . A’s signature on M is 

s. (If m is not a quadratic residue modulo N, then m should be adjusted in a 
predetermined way so that the result is one.) 

Signature verification: Given an authentic copy of A’s public key, one can 
verify A’s signature s on M by computing m = H(M), and verifying that = m 
(mod N). 

Adversary’s actions: Given A’s public key Pa and A’s signature s on M, 
E computes n = {s^ — m)/N and forms Pe = n. Observe that s is also E's 
signature on M since = m (mod n). 

Remarks 

1. The bitlength of n is expected to be the same as the bitlength of N . 

2. n is most likely not the product of two distinct primes, and hence is not 
a valid Rabin public key. (Assuming that n is a random fc-bit integer, the 
expected total number of prime factors of n is approximately In k; Fact 
3.7(iii)].) However, it is difficult, in general, to test whether a composite inte- 
ger is a product is of two distinct primes; hence Rabin public-key validation 
is usually not performed in practice. 

3. Assuming that n is a random fc-bit integer, the probability that the bitlength 
of the second-largest prime factor of n is < 0.22fc is about i ^3 Fact 3.7(ii)]. 
Thus, for example, if 512-bit moduli are being used, then the probability 
that the bitlength of the second-largest prime factor of n is < 113 is about 
^ . Such n can be readily factored with the elliptic curve factoring algorithm 

Given the prime factorization of n, E can hope to convince the GA that 
it knows the corresponding private key (even though one may not exist — 
n may not be a product of 2 distinct primes), by signing (computing square 
roots modulo n, as with the Rabin scheme) a message of the GA’s choice. 



4.3 ElGamal 

Domain parameters: A safe prime p (i.e., q '■= {p — l)/2 is prime), and a 
generator g of Z*. 

Key pair: A’s private key is an integer a, 1 < a < p — 2. A’s public key is 
Pa = (p, 5, y), where p = mod p. 
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Signature generation: To sign a message M, A selects a random integer k, 
I < k < p — 2, such that gcd{k,p — 1) = 1, and computes m = H{M), r = 
mod p, and s = k~^{m — ar) mod {p— 1). A’s signature on M is (r, s). 
Signature verification: Given an authentic copy of A’s public key, one can 
verify A’s signature (r, s) on M by computing m = H{M), and verifying that 

gTa = yT^s pY 

Adversary’s actions: Given A’s public key Pa and A’s signature (r, s) on M, E 
does the following. If gcd(s,p— 1) yf 1 or if gcd(m, r) = 2 or q, then E terminates 
with failure. Otherwise, E selects an arbitrary integer c, 1 < c < p — 2, such that 
gcd{t,p— 1) = 1, where t = m — cr. E then computes g = (r^)* (p-i) mod p 

and forms Pe = {p, 5, y), where y = ~g^ mod p. 

Observe that (r, s) is also E's signature on M since 

g(-^)yW^ = = 1 (mod p). 



Remarks. The condition gcd(s,p — 1) = 1 ensures that r^, and hence also y, 
is a generator of Z*. The condition gcd(m, r) yf 2, y ensures that there exists a 
c for which gcd(t,p — 1) = 1; it also implies that a non-negligible proportion of 
all c’s satisfy gcd(t,p — 1) = 1. If we make the heuristic assumption that r, s 
and m are distributed uniformly at random from [l,p— 1], then we see that the 
success probability of the adversary is about |. 

4.4 DSA 

Domain parameters: Primes p and q such that q divides p— 1, and an element 
y G Z* of order q. Typically p has bitlength 1024 and q has bitlength 160. 

Key pair: A’s private key is an integer a, 1 < a < y— 1. A’s public key is 
Pa = (p, y, y, y), where y = y“ mod p. 

Signature generation: To sign a message M, A selects a random integer k G 
[1, y — 1], and computes m = H{M), r = (y^ mod p) mod y, and s = k~^{m + 
ar) mod y. A’s signature on M is (r, s). 

Signature verification: Given an authentic copy of A’s public key, one can 
verify A’s signature (r, s) on M by computing m = El{M), ui = s~^m mod y, 
U 2 = s~^r mod y, and verifying that r = {g^^y^^ mod p) mod y. 

Adversary’s actions: Given A’s public key Pa and A’s signature (r, s) on M, 
E selects a random integer c G [1, y — 1] such that t := {{ui + cu^) mod y) yf 
0. E then computes ri = y“’y“^ modp and 'g = r\ ^ mod p, and forms 

Pe = (p, y, y, y) where y = g‘^ mod p. Note that ord(y) = y, so Pe is a valid 
DSA public key. 

Observe that (r, s) is also E’s signature on M since 

^ _u,+cu, =gt = ^^ (inod p), 

whence r = {'g^^y^^ mod p) mod y. 




168 



S. Blake- Wilson, A. Menezes 



4.5 ECDSA 

ECDSA is the elliptic curve analogue of the DSA and is specified in Q. 
Domain parameters: An elliptic curve E defined over the finite field with 
^E{¥q) = nh and n prime, and a point P G E{¥q) of order n. 

Key pair: A’s private key is an integer a, l<a<n— 1. A’s public key is 
Pa = (p, E, n, P, Q), where Q = aP. 

Signature generation: To sign a message M, A selects a random integer fc, 
1 < fc < n — 1, and computes m = H{M), R = kP, r = x{R) mod n, and 
s = k~^{m + ar) mod n. Here, x{R) denotes the x-coordinate of the point R. 
A’s signature on M is (r, s). 

Signature verification: Given an authentic copy of A’s public key, one can 
verify A’s signature (r, s) on M by computing m = H{M), R = s~^mP+s~^rQ, 
and verifying that r = x{R) mod n. 

Adversary’s actions: Given A’s public key Pa and A’s signature (r, s) on M, E 
selects an arbitrary integer c, l<c<n— 1, such that t := {{s~^m + s~^rc) mod 
n) ^ 0. E then computes R = s~^mP + s~^rQ and P = mod n)R, and 
forms Pe = {p, E,n, P,Q), where Q = cP. Note that ord(P) = n, so Pe is a 
valid EGDSA public key. 

Observe that (r, s) is also E’s signature on M since 

s~^mP + s~^rQ = {s~^m + s~^rc)P = tP = R, (1) 

whence r = x{R) mod n. 

Remarks. E’s domain parameters are the same as A’s, with the exception of 
the base point P. If the elliptic curve was chosen verifiably at random using a 
canonical seeded hash function (e.g., as specified in ANSI X9.62 Q), then E can 
use the same (non-secret) seed as selected by A to demonstrate to the GA that 
the curve was indeed selected verifiably at random. There is no requirement in 
ANSI X9.62 for generating the base point verifiably at random. Hence, perform- 
ing domain parameter validation as specified in ANSI X9.62 does not foil the 
adversary. 

5 Conclusions 

This paper presented some new unknown key-share attacks on the STS-MAG 
key agreement protocol. The attacks are a concern in practice since STS-MAG 
purports to provide both implicit key authentication and key confirmation. There 
are various ways in which the attacks can be circumvented. Our preferred way 
is to include flow numbers and identities in the messages being signed, and to 
separate keys used to provide key confirmation from derived shared secret keys. 
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Abstract. We consider key escrow system for international communi- 
cation between multiple domains with different policies. In intercepting 
international communications between two domains serious problems on 
unfairness may arise when one government has not authorized the mes- 
sage interception in legal. We solve this problem by incorporating a mech- 
anism that allows message interception by law enforcement parties sub- 
ject to the consent of both governments involved in the communication. 
That mechanism involves the establishment of an independent Interna- 
tional Trusted Third Party (ITTP) that has the ultimate authority to 
check of the security policies of each country and permit or deny the 
interception of international messages. 

We present a scheme with multiple Diffie-Hellman type key distribution 
protocoland the ITTP copes with only the secret-key corresponding to 
its own public-key. 

We can also make the ITTP “multiple”, and we apply recent devel- 
oped techniques on distributed (threshold) cryptography to our multiple 
ITTPs. Thus, the establishment and control of an international trusted 
third party can done with incorporating by each governments. 

Key Words: Key escrow /recovery system, Diffie-Hellman key distribu- 
tion, Trusted Third Party, Distributed Cryptography, Security policy 



1 Introduction 

1.1 International Aspects of Key Escrow 

Various key escrow systems (KES) and key recovery systems have been proposed re- 
cently These systems make it possible, under certain conditions, for authorized 

third party (referred to as law Enforcement Parties (LEP) in the following) to intercept 
encrypted messages sent between users. 

A key escrow mechanism suitable for international use was recently proposed by 
Jefferies, Mitchell, and Walker (JMW-mechanism), and revised schemes are 

presented for use among multiple domains. 

* This work is inspired by Prof. Tsujii’s remark [Tsu96] on unfairness hidden in some 
existing escrow-scheme. 

** Partially done while visiting in Columbia Univ. Computer Science Dept. 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 171-^^^ 1999. 
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In the JWM-mechanism, a session key for users’ end-to-end encryption is estab- 
lished based on Difiie-Hellman key exchange So, it is possible for the court 

to permit “edge surveillance”, in which only communication between sender A and 
receiver B can be decrypted from one of keys from A or B unlike Clipper. The JWM- 
mechanism also introduces a licensed Trusted Third Party to escrow users’ private 
keys. 

As an international aspect of the JWM-mechanism, Chen et al. considers key escrow 
in mutually mistrusting domains: the countries involved do not trust one another. And 
to solve this problem, it proposes to share the information of escrowed key using the 
method of Pedersen [P91]. Bao et al [BDHJ97] proposes an improved one of above 
method that enables to efficiently share the information between several countries. 

1.2 Our Discussed Problem 

The previous methods premise that both two countries have autho- 

rized the interception, and that keys are escrowed fairly between both countries with 
no other parties appearing. 

For interception of international communication, particularly between a country 
that has authorized the interception and one that has not, however, such JMW- 
mechanism may become a demerit. The reason is that, when LEP has carried out 
a proper law enforcement process, LEP can arbitrarily intercept encrypted messages, 
regardless of the security policy of the other country. Considering that every country 
should respect the security policies of other countries to the utmost limit, it is not 
desirable that one country should be able to arbitrarily intercept the communications 
from and/or to another country. The law enforcement process should be such that it is 
not possible for LEP to intercept encrypted communications without the cooperation 
or at least the consent of the other country. Unfortunately, there have not been any 
discussions on these international features, however, in papers referred to above. 

Compares to this, we consider a system for intercepting international communi- 
cations that can adapt to various security policies freely designed by each country, 
including not authorizing the interception as its policy. 

1.3 Our Contributions 

Requirements: Our proposed key escrow system enjoys the following. 

1. When international communications are the target of communication surveillance, 
it must not be possible for the investigator to intercept encrypted messages without 
obtaining the consent of the other country. 

2. The ITTP provides the investigator the crucial information for the law enforcement 
process on condition that the party obtains the consent of the other country. 

3. No agency or organization preserves the knowledge of each user’s international 
private key, by which users communicates with other users in the other domain. 
Chances of interception are limited depending on time. 

4. The encrypted communication protocol uses only published or fixed data, and not 
data with randomness. 

5. Our ITTP can be distributed, or can be eliminated: multiple domains jointly gener- 
ate ITTP’s public-key and collectively decrypt the message encrypted with ITTP’s 
secret-key. 
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How to Compromise with ITTP: We set up an international trusted third party 
(ITTP) hierarchically in advance. When intercepting an international communication, 
this is only made to be possible with the consent of both countries and cooperation of 
ITTP. This approach is an implementation of the idea as Frankel and Yung are insist- 
ing in [FY95] that ’’Trusted agents trusted by both countries are necessary between 
countries that can not be trusted one another.” 

The technique used first is to construct multiple Diffie-Hellman type keys as in 
and to make it escrowed a part of the secret information to ITTP which we 
are setting up in our proposal. Through the method above, the possibility of intercept- 
ing international communications is limited to only when ITTP cooperates under both 
countries’ consent. 

In our proposed scheme, unlike the previous ones [JMW95, GCHQ96], the common 
key between two communicating users cannot be obtained without the user’s interna- 
tional private key or the national secret key. The user’s international private key is 
not deposited anywhere and only ITTP manages the national secret key, so it is not 
possible for LEP to obtain those keys. Furthermore, in the law enforcement protocol, 
also, ITTP does not provide the users’ communicating key itself to LEP. Therefore, 
there is no possibility of LEP obtaining the common key between two communicating 
users. The user’s national private key that is deposited with the key escrow agencies 
is used by the key escrow agencies in the law enforcement protocol. The information 
supplied by the key escrow agencies, however, is always constructed of a combination 
of the user’s national private key and system secret information. Because LEP does not 
possess the means to separate that secret information, there is no possibility of LEP 
obtaining the user’s national private key from the information that is available when 
the law enforcement protocol is executed. 

On the other hand, each key escrow agency manages only a part of the user’s 
segmented national private key. The purpose of having multiple key escrow agencies, 
each of which manages only a part of the user’s segmented national private key, is to 
reduce the risk of infringement on the privacy of users by a key escrow agency. 

Accordingly, it is not desirable, for that purpose, for a key escrow agency to be able 
to obtain the user’s national private key itself. In the law enforcement protocol proposed 
here, the information that is available to each key escrow agency always involves an 
unknown constant that is the segmental system secret information possessed only by 
the other key escrow agencies. This is to say that the deletion of the unknown constant 
is done when LEP obtains KS finally; within the processing by the key escrow agencies 
the unknown constants cannot be deleted. There is therefore no possibility that any of 
the key escrow agencies can obtain the user’s national private key from the information 
that is available when the law enforcement protocol is executed unless there is collusion 
among all of the key escrow agencies. 



Distributed ITTPs: A criticism from the practical view point is that the use of a single 
International TTP sitting over all other national jurisdictions is too idealistic, and naive 
or completely unworkable solution. So, we also consider a further improvement on 
multiple third parties, who are trusted collectively but not individually, for answering 
this criticism. 

De Santis, Desmedt, Frankel and Yung presented an idea to use thresh- 

old cryptography for key escrow. We make use of recent developed techniques in thresh- 
old cryptography Each government jointly makes an ITTP. Then, the 

ITTP and all governments shares the secret keys of an organization. We should re- 
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mark that any public-key scheme (e.g., RSA and ElGamal) is applicable to our ITTP’s 
encryption scheme. 

In particular, our system gives a solution to the following open problem remarked 




Can a practical key escrow scheme he designed for the case where more than 
two domains are involved, and where escrow agencies are not permitted to span 
more than one domain ? 

We utilize techniques in threshold cryptography for restricting the escrow agency’s 
tapping power only within his domain. 

Against Subliminal Channel Via Randomness: The reason that the data with ran- 
domness is not involved in the encrypted communication protocol is for protection 
against subliminal channel When users communicating, in the escrow system 

involved the data with randomness they might communicate by transmitting the data 
itself with randomness as the ciphertext to the other. In this case, since the ordinary 
message put in the formal position as dummy is deciphered in a law enforcement, this 
shadow-communication is hardly detectable. For avoiding this attack, in our system all 
data involved in the communication protocol including a session key is public or fixed 
data within a period (e.g. hour, day, week, etc.) without randomness. 

Time-Related Session Key Establishing: Our basic scheme for domestic communica- 
tion is a modification of the previous for restricting investigator’s 

tapping conversation. 

In a GCHQ system a time stamp is added to the concept of the system 

described in whereas the syst em describ ed in does not use a time 

stamp. As for the system described in it is not efficient in practice since 

users must access key escrow agencies each time on starting communication to generate 
a session key. 

So, we make use of a time stamp: for embedding a tiem-stamp into the generator of 
discrete log. for Diffie-Hellman key exchange. Thus, this enables an efficient encrypted 
communications without accessing key escrow agencies when starting communication 
to generate a session key. 

Comparison: Ours vs Previous: Some works have discussed international aspects of 
KES. The comparison to the related works is described in Table® 

Chen, Gollmann, and Mitchell [CGM96] points out the problem that there is no 
guarantee to trust one another’s key escrow agencies between the two countries that 
have authorized the interception. And to solve this problem, they proposes to share the 
information of escrowed key using the method of Pedersen [P91]. Chen et al. [BDHJ97] 
proposes an improved one of above method that enables to efficiently share the informa- 
tion between several countries. These methods above premise that both two countries 
have authorized the interception, and that keys are escrowed fairly between both coun- 
tries with no other parties appearing. 

In the scheme and ours, the investigator cannot peep into the commu- 

nication between users over the period permitted by the court, in the scheme proposed 
in the investigator must perform the law enforcement protocols so many the 

target communications. 
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In the schemes TTP which generates the secret key of user 

and transmits it to the user preserves it without the need of the key deposit. The 
scheme introduced in in which users need not to deposit their own secret 

key, is applicable to the communication under various states same as ours. However, 
in the system, the investigator cannot obtain in advance of the target communication 
to monitor in real time, because the sender generates randomly the session key when 

commnnicating. 

In the previous scheme key escrow agencies (TTPs) can obtain 

the secret key of the target user in the law enforcement process, However, in our 
proposed scheme, the knowledge of the key escrow agency, does not increase even 
after the law enforcement process is done: The key escrow agencies, in our scheme, 
cannot access the perfect secret key of users, since the key escrow agencies, in the law 
enforcement process, computes the crucial data with the partial secret key preserved 
and transfer the result to the investigator. Due to this, the user need not to do his key 
renewal even after a law enforcement. 

Young and Yung recently proposed a key-escrow systems with multiple 

trusted agencies. Though they have no discussion on international aspects on key- 
escrow, their scheme could be applicable to international communication. However, 
they presented the new double decker scheme and a hierarchical key-escrow system 
The system can be applicable to international communication. In the Young- 
Yung schemes | 



|, only a ciphertext is decrypted via a law enforcing process. 
Then, if multiple ciphertexts should be recovered, too many law enforcing tasks have 
to be performed. Whereas, in our scheme, the investigator can decrypt any messages 
encrypted within a limited period, which is allowed for a session key recovered via a 
law enforcing protocol. This gap is due to the difference of the recovered target, which 
is a content of encrypted message in Young-Yung scheme while a session key of being 
effective with a limited term in our system. 

Gressel, Granot and Dror presented the first approach to the key escrow 

scheme (Fortress KISS) taking account of a crypto law over the international communi- 
cation. Their scheme is different from ours in two points below. One is that the session 
key for encrypting the communication is independent of user’s private key in Fortress 
KISS. In our scheme, in order to exclude the randomness concealing the shadow mes- 
sage, the session key is uniquely generated from valid public (secret) keys of users and 
the date. The other is that Fortress KISS discloses the private key itself of target user 
in the law enforcing protocol. On the other hand, in our system, the only selected 
message permitted by the court can be recovered without revealing the private key of 
target user. This idea is pointed out in 



2 Our Proposed System 

2.1 System Configuration 

Our proposed system consists of the following parties: 

User Ui{i = A, B , ■ ■ ■) : This is a party engaged in encrypted communication. There 
are multiple users. Each user deposits his own national private key in the key 
escrow agencies of his own country by dividing into several parts. Without re- 
vealing the information on the international private key, each user must register 
the international public key with the certificate authority related to international 
communication. 
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Table 1. The comparison to related works 

[(N)EG: (None) Escrowing Government, commu.: communication] 





DH key-exchange, Pedersen’s VSS 


1.7A/IT95J, \CCHQm\ 


DM key-exchange, TTP (as Key producer) 


11/T97] 


ElGamal cryptosystem. Data binding 


[YT99] 


Double decker exponentation (HSA, ElGamal) 


Ours 


DH key-exchange. Any (Distributed) PKP for ITTP, 



Table 2. Basic technique used 



Investigator : An organization that, after obtaining the court permission, has the au- 

thority to perform the interception of the encrypted messages of the user specified 
in the court order with the cooperation of key escrow agencies. 

Key Escrow Agency Tj{j = 1,2, ■ ■ ■ , k) : It holds a segmental private key of each user 
as well as a part of the one-time secret system information distributed by the court. 
There are multiple key escrow agencies in a country, of which the government has 
the affirmative policy for the key escrow. In a law enforcement process, it checks 
the validity of the court order and presents to the investigator the information 
computed from the partial private key only when the consent is given. 

Court of Justice ; An organization that considers the appropriateness of requests by 
the investigator to perform the interception, and when deemed appropriate, issues 
an order permitting that interception. This is a trusted organization. 

International Trusted Third Party (ITTP) : This is an internationally trusted organiza- 
tion for asking the final determination of permission to intercept the international 
communications. In a law enforcement process, it provides the investigator of the 
country that wants to perform the interception with the information, which makes 
deciphering of the target messages possible, only when the country has obtained 
the consent of the other country involved. In an emergency related to the interna- 
tional problem, ITTP presents the crucial information without the consent of the 
other country. (Sectionjdiscusses how to make ITTP “multiple” for distributed 
ITTPs: ITTP,' (j = 1, 2, . . . , m).) 

Certificate Authority (CA) : It authenticates the international public key of users. There 
are multiple certificate authorities. The CA manages the list of the public keys or 
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issues the certification of the public key by using the technique such as the digital 
signature. 

2.2 Setting up the System 

A prime number p and a primitive element g mod p are published as public system 
information. Each user preserves two different types of the key pair for the international 
and the domestic, respectively. 

In order to communicate with users in the same domain (country), Ua generates a 
domestic secret key Sa and computes the the corresponding domestic public key Pa- 
If the country has the affirmative policy for the key escrow, Ua deposits the segmental 
domestic secret key Sai to each key escrow agency Ti as follows. 

Sa — Sai + Sa2 T • • • + SAk (1) 

The country authenticates Pa = <7®^ (mod p) as the domestic public key of Ua- On 
the other hand, the country, of which the government has a negative policy against 
escrow, only authenticates the domestic public key of the citizen. 

Ua, who wants to communicate with the person in the other domain (country), gen- 
erates the secret key xa for the international communication. Then, the international 
public key yA ~ (mod p) of Ua is computed and sent to the CA managing the 
list of the public keys for the international communication. After verifying the validity 
of yA via the digital signature on the challenge, the CA register yA to the list as the 
international public key of Ua- The certification of yA is issued by CA and sent to Ua- 
Every law enforcement process the court in the country promoting the policy of 
key escrow generates the secret system information {Is,is) satisfying the following 
equations. 



k 

Is — Pj — Pip 2 ' ' ' Isk (mod p) (2) 

i=i 

k 

is = 17^ = ^ isj =isi +is 2 -\ + isk (mod g) (3) 

j=i 

Then, the partial information (Isi,isi) is transmitted to each key escrow agency Ti 
confidentially. Each key escrow agency T preserves (Is,is) secretly and provides the 
investigator with the partial result computed from the partial information during a law 
enforcement process. 

2.3 Basic Scheme for Domestic Communication 

We describe the protocol for Ua of a country conducting the encrypted communication 
with C/b in the same domain (country). 

2.4 Encrypted Communication Protocol 

Step 1 : Ua calculates the master key Kab ~ Pg'^ (mod p) from his own domestic 
private key Sa of Ua and the domestic public key Pg of Ug- Then, Ua computes 
the session key KS = JJ^ab (mod p) by using Kab and the time-data. 
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Step 2: Ua encrypts a message M with a symmetric cryptosystem / 2 , using KS to 
obtain a ciphertext C = fi{M, KS). Ua sends C and LEAF = {Pa\\Pb\\D) to 
Ub. 

Step 3: Ub extracts D from LEAF and computes the master key Kab ~ Pa^ (mod 
p) from his own domestic private key Sa and the domestic public key Pa- 
Step 4: Ub computes KS from D and Kab- Then, Ub decrypts C with KS to obtain 
the message M = f^^{C,KS). 



Law Enforcing Protocol: We depict the protocol for the case in which the inves- 
tigator performs the interception on ?7 b- Here, the investigator already gets encrypted 
communication between Ua and Ub and records the ciphertext C and LEAF. 

Step 1 : The investigator petitions the court of justice for an order permitting the law 
enforcement to the communication between Ua and Ub. 

Step 2 : The court decides whether or not to permit the surveillance. If permission is 
to be granted, the court issues an order that clearly specifies the verification date 
and the name of the user who will be subject to the surveillance {Ub). 

Step 3 : The investigator presents to each key escrow agency Tj the court order re- 
garding Ub and D. 

Step 4: Each key escrow agency Tj computes Kj = KjP^^^ (mod p) and sends Kj 
to the investigator. 

Step 5 : The investigator computes K* — Oj-i (mod p) and sends K* to each 
key escrow agency Tj . 

Step 6: Each key escrow agency Tj computes Kj = and sends Kj to the 

investigator. 

Step 7: The investigator computes the session key KS from Kj-. 
k ^ ^ 

WK'j = ^ KS {mod p) (4) 

j=i 

and then can decrypt C to obtain the message M = / 2 ~^(C', KS). 

2.5 Unfairness in Law Enforcement without Agreement 

We consider the arising unfairness in law enforcement of communication between two 
domains with different escrowing policies: one domain P is negative against escrow 
and the other Q is positive for escrow. Consider two users: User Ua is a citizen of one 
domain P, and User Ub is in the other domain Q. 

Then, the domestic secret key of the user in the country P is not required to 
deposit to the key escrow agencies (The government P might have no such agencies.). 
On the other hand, the government of the domain Q might promote the policy of the 
key escrow and decrypt the encrypted communication between users under the law. 
Executing the encrypted communication protocol described in the section^^for fh® 
international communication between Ua and U b , causes the following problem. 

In the protocol the communication between Ua and Ub is encrypted with the ses- 
sion key KS, which consists of both time-data D and the Diffie- Heilman key Kab of 
a common key between Ua and Ub. After obtaining the court order’s permission of 
intercepting Ub, the investigator can decrypt the encrypted communication between 
Ua and Ub with help of key escrow agencies’ by submitting their segmental secret key 
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of Ub- The country Q can execute the law enforcement protocol keeping the intercep- 
tion secret from the country P since the investigator in the country Q can access the 
communication between Ua and Ub without the help of the country P. 

Step 1 : The investigator of the country Q petitions the court of justice in the own 
country for an order permitting the law enforcement to the communication between 
Ua and Ub- 

Step 2 : The court decides whether or not to permit the surveillance. If permission is 
to be granted, the court issues an order that clearly specifies the verification date 
and the name of the user who will be subject to the surveillance (Ub)- 
Step 3-7 : By executing the same process Step 3-7 in subsection ^3 the investigator 
can independently decipher the encrypted communication between Ua and Ub 
without the help of any agencies in the country P. 

We should remark that the previous international KES with multiples domains 

from the similar defect of this “unfairness”. In the 
other system^^^^^^^^^^^^], the investigator in a country can perform the law 
enforcement process with the “unfairness” except when monitoring in real-time (In the 
real-time monitoring, the investigator in advance obtains the session key or related key 
from the law enforcement before the target communication is done). 

2.6 Our Scheme for International Communication 

Encrypted Communication Protocol. 

We describe the protocol for Ua of the country P conducting encrypted communi- 
cation with Ub of the country Q. 

Step 1: Ua computes the international master key IKab = (mod p) from his 
own international private key xa and the international public key i/b of Ub - Then, 
Ua enciphers D with the the symmetric cryptosystem /i, using IKab to obtain 
Ed= MDJKab)- 

Step 2 : Ua calculates Kab = (mod p) from his own national secret key Sa 

and the national public key Pb of Ub- Then, Ua computes the session key KS = 
D^ab-Eo (jjjQfj pj from Kab and D- Moreover, Ua enciphers a message M with 
the symmetric cryptosystem /2 using KS obtained (C = f 2 {M,KS)) . 

Step 3: Ua enciphers {Ed, D,C,yA,yB, Pa, Pb) with the asymmetric cryptosystem 
Enc{-), using the ITTP’s public key Pi to obtain Inf = Enc{{ED\\D\\C\\yA\\yB\\PA 
\\Pb),Pi)- Then, Ua sends C and LEAP = {yA\\yB\\PA\\PB\\D\\Inf) to Ub- 
Step 4: Ub extracts D and Inf from LEAE and computes IKab = y^ (mod p) 
from his own international secret key xb and the international public key i/a of 
Ua- Then, Ub enciphers D with the symmetric cryptosystem / 2 , using IKab to 
obtain Ed = fi{D,IKAB)- 

Step 5 : Ub verifies the soundness of Inf in LEAE using Ed computed. Ub computes 
Inf' by enciphering (Ed||P||C||j/a||i/b||Pa||Ps) with Enc{-), using the ITTP’s 
public key Pi, where Ed is computed in Step 4. If Inf' = Enc((iJD|lP||C||i/A||t/s|| 
Pa||Pb), Pi) computed and Inf in LEAP is not identical, the processing is halted. 
Step 6: Ub calculates Kab ~ Pa^ (mod p) from the national public key Pa of Ua 
and his own national secret key Sb- Then, Ua computes the session key KS = 
D^ab-Ed (mod p) and finally deciphers C with KS to obtain the message M = 
f^\C,KS)- 
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Law Enforcing Protocol. We depict the protocol for the case in which the inves- 
tigator of the country Q performs the interception on ?7 b in the same country. Here, 

the investigator of country Q already gets encrypted communication between Ua and 

Ub and records the ciphertext C and LEAF. 

Step 1 : The investigator of the country Q petitions the court of justice in his own 
country for an order permitting the law enforcement to the communication between 
Ua and Ub- 

Step 2 : The court decides whether or not to permit the surveillance. If the permission 
is to be granted, the court issues an order that clearly specifies the verification date 
and the name of the user who will be subject to the surveillance (Ub). 

Step 3 : The investigator petitions the country P for the agreement on the tapping of 
the communication line. 

Step 4: The country P decides whether or not to permit the surveillance. If the per- 
mission is to be granted, the country P issues the consent bond for the tapping. 

Step 5 : The investigator presents to the ITTP both the court order and the consent 
bond of the country P. 

Step 6 : After verifying the validity of both the court order and the consent bond, the 
ITTP deciphers Inf with his own secret key Si to obtain {Ed, D' ,C,yA,yB, Pa, Pb). 

Dec{Inf, Si) = Ed, D' , C, yA, yB, Pa, Pb (5) 

If and only if D' and D in the LEAF is identical, the ITTP sends Ed to the 
investigator of the country Q. 

Step 7 : The investigator presents to each key escrow agency Tj both the court order 
regarding to Ub and D and the consent bond of the country Q. 

Step 8: Each key escrow agency Tj computes Kj = Isjy^^^ (mod p) and sends Kj 
to the investigator. 

Step 9 : The investigator computes K* — Oj=i (mod p) and sends K* to each 
key escrow agency Tj . 

Step 10: Each key escrow agency Tj computes Kj — and sends Kj to the 

investigator. 

Step 11: The investigator computes the session key KS from Kj. 

Y^K'. = = It'S (mod p) (6) 

j=i 

Then, the investigator deciphers C to obtain the message M = ff^{C,KS). 



3 Discussion 

3.1 Why Two Types of Keys are Introduced 

In our system, we have introduced two public-private key pairs for each user. One is 
a domestic key pair which is used for both domestic and international communica- 
tion and the other is an international key pair which is only used for international 
communication. 

The reason we have introduced two types of keys for each user is, to maintain an 
independency of key escrow policy of each country as long as the communication is 
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within the conntry (domestic), but to prevent either conntry from executing a wiretap 
on one’s own judgement (authority) for international communication. 

In our original key escrow system, we have set up only one key for each user assum- 
ing that there are only domestic communication. The key has been shared among TTPs 
within the country. On extending the system involving international communication, 
the problem was if the key is shared among both domestic TTPs and international 
TTPs the key escrow policy within domestic communication will be affected by inter- 
national TTPs’ decision. Thus we have set up another key (distinct from the domestic 
one) for international communication. Both domestic and international policy must be 
taken into consideration for wiretapping international communication. This is why both 
keys are used for international communication, what is therefore leading to introduce 
in our system two types of keys for each user. 



3.2 Setting the Fixed Data Within a Period as a Generator 

At the equation^3 the difference between setting the primitive element g of the system 
parameter p as a generator and putting the fixed data within a period D (in this paper, 
date/time as D) is discussed here. A session key is computed as q^ab-Ed jjj former 
while in the latter. In the former case, once the investigator obtains the 

session key from key escrow agencies in a law enforcement process, he can calculate 
the fixed data of Ua and Ub by computing KS^^. The data g^^^ computed 

allows the investigator to calculate the session key used in the communication between 
Ua and Ub without the cooperation of key escrow agencies, only with Ed provided by 
the ITTP. 

While the investigator, in the latter case, only obtains the ad hoc data , even 

if he computes as well as the former. In this case, when the law enforcement 

process is performed, the investigator must collude with the key escrow agencies every 
time the fixed data D has changed. 

According to the policy for the law enforcement or the efficiency of the process, 
two types of the key construction should be appropriately chosen. 



3.3 One-Timeness of the Secret System Information {Is, is) 

The court of justice issues the secret system information (7s, is) for every law enforce- 
ment process. This information allows key escrow agencies to provide the investigator 
with the partial result that enables the access to the communication between users, 
with not revealing the knowledge itself of the segmental secret key. If the same (7s, is) 
is used in the different law enforcement process, the problem described below arises. 

The investigator of a country, say Q, might in prior communicate with I/b as a 
dummy user Ub' (or in collusion with Ub')- Then, the investigator petitions the court 
of justice in his own country for an order to permit the law enforced recovery of the 
communication between Ua and Ub' - If the offer is accepted, the investigator obtains 
K* = IsKab' in the law enforcement process. The investigator preserving the secret 
key of Ub' can compute the master key Kab' and then calculate Is from Kab' and 
K* as follows: 

K*/Kab' = IsKab'IKab' = Is- (7) 

After that, when the law enforcement process for the domestic communication between 
Ux and Uy in the country Q is performed, the investigator with a part Is of the secret 
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system information can obtain Kxy by computing the following equation: 

K*/Is = IsKxy/Is = Kxy. ( 8 ) 

Finally, without help of key escrow agencies the investigator can decipher the encrypted 
communication between Ux and Uy by himself anytime. 

For avoiding this attack, the court generates the secret system information {Is,is) 
every law enforcement protocol and distributes a part of it to each key escrow agency. 

4 Distributed ITTPs (or without an ITTP) 

Our proposed International TTP publishes its international public key, and does noth- 
ing related with any user’s secret key. Thus, even in international communication be- 
tween two domains, the users need no communication with the ITTP. However, a crit- 
icism from the practical view point is that the use of such a single International TTP 
sitting over all other national jurisdictions is too idealistic, and naive or completely 
unworkable solution. 

We have a solution against this criticism: we can distribute the role of such unique 
ITT P to multiple a gencies by using recent developed techniques in threshold cryptogra- 
phy Our idea is the following. E ach government jointly makes an ITTP. 

Then, the ITTP and all governments shares the secret keys of an organization. In such 
a distributed (threshold) cryptosystem, without cooperation by all (or more than k) 
governments the ITTP cannot decrypt the ciphertext encrypted by the public key of 
the organization. This approach allows the investigator to make a law enforcement 
protocol with the approvals of all governments or more than k members. 

We should remark that any public- key scheme (e.g., RSA and ElGamal) is appli- 
cable to our ITTP’s encryption scheme. 

Suppose that the ITTPs select the ElGamal cryptography as his own asymmetric 
cryptosystem. In this case, n ITTPs share the secret key of an organization by the Ped- 
ersen’s scheme When processing the law enforcement, each ITTP computes 

the partial result from the partial secret key preserved, using the deciphering protocol 
described in The combination of the partial result enables the investigator to 

decipher the data encrypted with the public key of the organization, which consists of 
n ITTPs, to obtain Ed - This technique is applicable to the distribution of the national 
secret key. In other words, our system has no problem even if users deposits the seg- 
mental national secret key to each key escrow agency by the fc-out-of-n sharing scheme 
instead of the n-out-of-n sharing. (Appendix A describes the concrete scheme of the 
discrete- log based distributed ITTP.) 

As the public cryptosystem of ITTPs, also RSA can be also applicable. ITTPs 
share the secret key of an organization by applying the method of the shared RSA key 
generation When the law enforcement protocol is executed, each ITTP 

computes partial result same as the ElGamal. The investigator combines of the partial 
result to acc ess Ep. A lso our system gives a solution to the following open problem 
remarked in 

Can a practical key escrow scheme be designed for the case where more than 
two domains are involved, and where escrow agencies are not permitted to span 
more than one domain ? 

A requirement for international key escrow stated in is that “the inter- 

ception authorities in any domain can gain access to an escrowed key without commu- 
nicating with any domain independently.” 
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We utilize techniques in threshold cryptography for restricting the escrow agency’s 
tapping power only within his domain. We should remark that a communication in our 
system is done between two domains (say domain P and domain Q), so our solution 
answers to a weaker requirement that “the key is capable of being escrowed by one 
domain P with cooperation of other domains except the other Q.” 

Furthermore, by applying distributed public-key techniques our proposed 

system can be flexibly modified for being satisfied variants of requirements of security 
policies. 
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A A Discrete-log Based Implementation of Our 
Distributed-ITTPs 

A.l Basic Techniques 

VSS with Dealer [Ped91a]. Pedersen proposed a VSS scheme in which 

the dealer who knows the secret key itself distributes the share to each party Pj (1 < 
j < n) as follows. Any k(< n) PjS can computes the secret key S of the dealer. 

Step. 1 : The dealer generates k — 1 random integers /i, fi, ■ ■ ■ fk-i £ Z* and computes 
= /(i)(l S: j ^ with the polynomial f^ = fo + fiz-{-. . . J- /fe-i 2 *’“^.Here, 
fz satisfies fo = S. 

Step. 2: The dealer sends each Pj{l < j < n) the share Sj and the verification vector 

V = {g^°,g^^,...,g^’^-^). 

Step. 3: Each Pj{l < J < n) verifies if g^:> hi~ 
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^^Swithout Dealer [Ped91b]. Pedersen also presented another VSS scheme 
without the dealer, in which multiple parties Pj{l < j < n) shares the secret 
key of the group, generating their key pair of public and secret key. We describes the 
protocol below, where let k{< n) be a value of threshold. 

Step. 1 : Each party Pi generates Xi and k — 1 random integers fn, fa, ■ ■ ■ fi,k-i € Z* 
chooses a polynomial fi{z) = fio + fnz + . . . + fi^k-iz^~^ . For 1 < i < n, Pi 
calculates Sij = fi{j), where fio = Xi. 

Step. 2: Pi sends each Pj{l < j < n) the share Sij and the verification vector V = 

step. 3: Each Pi{l < i < n) verifies the validity of each share Sji from each Pj, by 

checking )* • ^ and only if all verification is validly accepted, 

go to next step. 

Step. 4: Each Pi calculates Si = stores the partial secret Si as the share 

of secret key S = xi + X 2 + ■ ■ ■ + Xn 



Distributed Deciphering Protocol. Now, a set A of any t Pj can computes the 
secret key S as follows. 



S = , Ay^= n —j 

jGA ien\{j} 

Based on the above technique, Desmedt and Frankel proposed the distributed decipher- 
ing algorithm in the ElGamal cryptosystem. Suppose that the entity X has a message 
M encrypted with the public key [y, q,p), where C = (Ci, C2) = ((/’’ mod p, My'^ mod 
p). The key y of the group composed by multiple Pj satisfies y = g^ (mod p). 

The entity X has distributed parties decrypt the ciphertext with each share as 
follows. 

Step. 1 : X sends Gi to each party Pj (£ A). 

Step. 2: Each Pj calculates a partial result Rj = (mod p) and sends Rj to X. 

Step. 3: X incorporates t partial results to obtain the message M. 

C2IR = My^ / Rj = My’" = M (mod p) 

jeA 

The algorithm allows distributed party to decrypt the ciphertext encrypted by the 
public key of group without revealing their share and computing the secret key S. 
Remark that the algorithm is different from the above technique computing S itself 
from t shares revealed by each party Pj . 



Distributed ITTPs. The ITTP, which is only involved in the law enforcement 
protocol for the communication between the users who belong to different countries, 
can allows the tapping of communication to be performed with the consent of both 
countries. The arrangement is in consideration of the communication between different 
countries whose policy for the key escrow is affirmative and negative respectively. When 
the affirmative country wants to tap such a communication, the consent of the negative 
country should be needed so as not to incur the government’s wrath. 

The distribute^TTP generates and shnres the group secret key u using the Peder- 
sen’s scheme described in section^^J Let h — g”' he the corresponding public 

key of the ITTP. Any k out of m ITTPs can produce the output with the secret key u. 
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Setting up the Parameters of Users. Each user generates the domestic key 
and the national key as follows. 

Domestic Key: The user in the negative country generates the secret and public key 

and registers the public key as the domestic key via the certificate authority. On the 
other hand, the user in the affirmative country deposits and registers the own secret 
key as follows. Each user Ui generates the domestic secret key Xi and computes 
Hi = ( mod p) as the domestic public key. Then, each user distributesthe share 

of Xi to each Tj in own country, using the Pedersen’s technique with a 

dealer. The yi is registered as the domestic key of the user Ui only when the shares 
are distributed in a regular manner. 

International Key; Each user Uj who want to make international communications gen- 
erates the international secret key Sj and computes the public key Pi = (mod 
p). Then, the user Uj makes the registration of the international public key Pi in 
the CA for international keys only. Rote that the secret key Sj has no require- 
ment of depositing to any institution and the ITTP cannot be involved at the key 
registration stage. 



A. 2 International Communication 

The protocol for Ua in the country P conducting the encrypted communicati on w ith 
Cfl in the country Q is the same as the protocol for single ITTP described in 
The difference is in the following Law enforcing protocol. 



Law Enforcing Protocol. The following protocol is performed when the investi- 
gator in the country Q starts on tapping the encrypted communication oi Ub- Here, 
the investigator has already obtained the encrypted message C and LEAF in the com- 
munication. For simplicity, the Ti,T2, ■ ■ ■ ,Tk amoung the m TTPs in the country Q 
are involved in this protocol. 

Step 1 : The investigator of the country Q petitions the court of justice in his own 
country for an order permitting the law enforcement to the communication of 
Ub. 

Step 2 : The court decides whether or not to permit the surveillance. If the permission 
is to be granted, the court issues an order that clearly specifies the verification 
date and the name of the user who will be subject to the surveillance (Ub). 

Step 3: The court of justice generates the parameters (Is,is) satisfying the following 
formula. 

Is = Isils2 ■■■ Isk (mod p) 

is = = *si + *s2 H + isk (mod q) 

The court of justice transmits both the warrant and (Isj,isj) to each Tj{l < 
j < k) in the country Q. 

Step 4: The investigator petitions the country P for the agreement on the tapping of 
the communication line. 

Step 5 : The country P decides whether or not to permit the surveillance. If the permis- 
sion is to be granted, the country P issues the consent bond for the tapping. 

Step 6 : The investigator submits the consent bond of the country P to t ITTPs at- 
tending (let T be a set of any t ITTPs). 

Step 7 : After verifying the validity of both the court order and the consent bond, each 
ITTPj computes a partial result Rj with the share Uj and the appropn^e 
Lagrange coefficient 'yj^r and sends Rj to the investigator (See section^^J, 
where 



u = 



Uj7i.r 

jer 



1j,r 



n ih- 

i6r\{j} 
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Step 8: The investigator incorporates the partial result Rj from ITTPj to obtain Inf 
successfully {Dec(Inf) = Ed, D' ,C,yA,yB, Pa, Pb)- If and only if the ex- 
tracted D' and the D in the LEAF is identical, the investigator sends the 
court order to the related Tj{l < j < k). Here, let A be the set of k key escrow 
agencies. 

Step 9: Each Tj computes a partial result Kj with the preserved share Sbj and sends 

Kj = (mod p) to the investigator. 

Step 10 : The investigator incorporates k partial results Kj to obtain K* and transmits 
K* — Kj (mod p) to each Tj. 

Step 11: Each Tj computes K'j — (mod p) and sends K'j to the investigator. 

Step 12: The investigator computes the session key KS with partial results K'j. 

j=i 

The investigator decrypts the ciphertext C with the computes KS to obtain 
the message M = ff^{C,KS). 
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Abstract. This paper introduces a method for tracking different copies 
of functionally equivalent algorithms containing identification marks known 
to the attacker. Unlike all previous solutions, the new technique does not 
rely on any marking assumption and leads to a situation where each copy 
is either traceable or so severely damaged that it becomes impossible to 
store in polynomial space or run in polynomial time. 

Although RSA-related, the construction is particularly applicable to con- 
fidential block-ciphers such as Skipjack, RG4, GOST 28147-89, GSM A5, 
GOMP128, TIA CAVE or other proprietary executables distributed to 
potentially distrusted users. 



1 Introduction 

Although software piracy costs $11.2 billion per year impedes job growth and 
robs governments millions of dollars in tax revenues, most existing protections 
still rely on legal considerations or platform-specific assumptions. 

The most common solutions are based on electronic extensions (dongles) 
containing memory tables or cheap 4-bit microcontrollers; to rely on these, the 
protected program periodically challenges the dongle via to the computer’s par- 
allel port and makes sure that the retrieved answers are correct. Unfortunately, 
given enough time, skill and motivation, it is always possible to disassemble the 
program, find the dongle calls and remove them from the code. In some sense, 
this approach mixes tamper-resistance and steganography. 

A somewhat more efficient solution (mostly used in the playstation industry) 
consists of executing strategic code fragments in the dongle. As an example, a 
chess program (exchanging with the player a couple of bytes per round) can be 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 1999. 
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executed in the dongle while less important game parts such as graphics, sounds 
and keyboard-interfaces can be left unprotected on a CD, useless for playing 
without the dongle. 

A third approach consists of dividing the protected media into two partitions: 
a first (conventionally formatted) area contains a program called loader while the 
second, formatted in a non-standard way, contains the protected software itself. 
When the loader is executed, it reads-out the second partition into the RAM and 
jumps into it. Since operating system commands are unable to read the second 
partition, its contents are somewhat protected, although patient attackers can 
still analyze the loader or copy the executable directly from the RAM. 

By analogy to the double-spending problem met in e-cash schemes, it seems 
impossible to prevent duplication without relying on specific hardware assump- 
tions, simply because digital signals are inherently copyable. This difficulty pro- 
gressively shifted research from prevention to detection, assuming that the for- 
mer is achieved by non-technical (legal) means. In such models, users generally 
get personalized yet very similar copies of a given data (referred to as equiv- 
alent) where the slight dissimilarities (marks) between copies are designed to 
resist collusion, be asymmetric or offer anonymity and other cryptographic fea- 
tures 

It is important to stress that all such systems rely on the hypothesis that the 
marks are scattered in a way that makes their location, alteration or destruction 
infeasible (marking assumption). In practice, marking heavily depends on the 
nature of the protected data and the designer’s imagination []^. Different strate- 
gies are used for source code, images and texts and vary from fractal coding 
Q, statistical analysis or stereometric image recordings Qto paraphrasing 
information exchanged between friendly intelligence agencies Q. 

This paper shows that at least as far as functions, algorithms or programs 
are concerned, marking assumptions can be replaced by regular complexity ones; 
consequently, we will assume that all identification marks (and their positions) 
are known to the attacker and try to end-up in a situation where each copy is 
either traceable or so severely damaged that it becomes impossible to store in 
polynomial space or run in polynomial time. 

The new construction appears particularly suitable to proprietary cryptosys- 
tems such as Skipjack, RC4, GOST 28147-89, GSM A5, GOMP128 or GAVE 
TIA, distributed to potentially distrusted users. Although it seems unlikely that 
an important number (> 100) of copies will be marked in practice, we believe 
that the new method can be useful in the following contexts where a few copies 
are typically distributed : 

• Proprietary standardization committees (such as the TIA-AHAG, the GSM 
consortium or the DVB group) could distribute different yet equivalent functions 
to each member-company. Although such a deployment does not incriminate 
individuals, it will point out the company which should be held collectively 
responsible. 
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• In an industrial development process, different descriptions of the same 
function could be given to each involved department (e.g. software, hardware, 
integration and test) and the final client. 

Although acceptable, the performances of our solution degrade when the 
number of users increases; we therefore encourage researchers and implementers 
to look for new variants and improvements of our scheme. 

2 The Formal Framework 

The new protocol involves a distributor and several users; the distributor is 
willing to give each user a morphologically different, yet functionally equivalent, 
implementation of a function. Hereafter, the word function will refer to the 
mathematical object, while implementations will represent electronic circuits 
or programs that compute a function (more formally, implementations can be 
looked upon as polynomial circuits that compute the function) . 

Definition 1: Let A4 and L be sets of integers. A distribution of the function 
f : A4 ^ £ is a set of implementations T such that: 

VF G F, Vx G At f{x) = F[a;] 



Definition 2: Let At and £ be sets of integers. A keyed distribution of the 
function / : At — > £ is an implementation F and a set of integers K, such that: 

VfcG/C, VxG At f{x) = F[x,k] 



A keyed distribution can be regarded as a monolithic device that behaves 
like the function / when fed with a key belonging to /C, whereas a distribution 
is simply a set of independent software or hardware devices that behave like the 
function /. Note that both definitions are equivalent: a keyed distribution is a 
specific distribution and a keyed distribution can be constructed from a distri- 
bution by collecting all the implementations and calling the one corresponding 
to the key; we will therefore use the simpler definition of keyed distribution. 

These definitions do not capture the fact that several implementations might 
be trivially derived from each other. If, for instance, F[x, k] = kx then it is easy 
to find an implementation F' such that F'[x,2k] = kx. {F' can be F[a;,2fc]/2). 
To capture this, we define an analyzer: 

Definition 3: Let {F, K.} be a keyed distribution of f. An analyzer Z of this 
distribution is an algorithm that takes as input {F, /C}, an implementation F' 
of f and tries to End the key k G 1C used in F' . Z may either fail or output k. 

In other words, when an opponent receives a legitimate implementation of / 
keyed with k and modifies it, the analyzer’s role consists of trying to recover k 
despite the modifications. The analyzer consequently behaves as a detective in 
our construction. 
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2.1 Adversarial Model 

As usual, the adversary’s task consists of forging a new implementation which is 
unlinkable to those received legitimately. We distinguish two types of opponents: 
passive adversaries which restrict themselves to re-keying existing implementa- 
tions and active adversaries who may re-implement the function in any arbitrary 
way. When distribution is done through hardware tokens (decoders, PC-cards, 
smart-cards) where keys are stored in EEPROM registers or battery-powered 
RAM cells, passive adversaries are only assumed to change the register’s con- 
tents while active ones may re-design a whole new hardware from scratch. 

Definition 4: Let c be a security parameter. A keyed distribution {F, K,} for 
the function f is c-copyrighted against a passive adversary if given C C /CMC| < 
c, finding ak such that {F, fc} implements f is computationally har^ 

Definition 5: Let c be a security parameter. A keyed distribution {F,K.} 
with analyzer Z for f is c-copyrighted against an active adversary if given C C 
/C, \C\ < c, Gliding an implementation F' of f such that the analyzer Z, given 
input F' , outputs either a integer k in IC\C or fails is computationally hard. 



3 The New Primitive 

The basic observation behind our construction is that in many public-key cryp- 
tosystems, a given public- key corresponds to infinitely many integers which are 
homomorphic to the secret key, and can be used as such. 

For instance, using standard notations, it is easy to see that a DSA key x can 
be equivalently replaced by any x-\-kq and an RSA key e can be looked upon as 
the inverse of any dk = e~^ mod <t>{n) -|- k(j>{n). We intend to use this flexibility 
to construct equivalent modular exponentiation copies. 

At a first glance it appears impossible to mark an RSA function using the 
above observation since given n, e and dk, a user can trivially find (j)(n) (here- 
after (/)) and replace dk by some other dk'. Nevertheless, this difficulty can be 
circumvented if we assume that the exponentiation is only a building-block of 
some other primitive (for instance a hash-function) where e is not necessary. 

We start by presenting a solution for two users and prove its correctness; the 
two-user case will then be used as a building-block to extend the construction 
to more users. 

When only two users are concerned, a copyrighted hash function can be 
distributed and traced as follows: 

Distribution: The designer publishes a conventional hash function h and 
an RSA modulus n, selects a random d < (ji and a couple of random integers 
{ko,ki}, computes the quantities di = d ki4>, keeps {(/), d, fcoj ^i} secret and 
discloses the implementation H[x, i] = h{h{x)'^' mod n) to user i G {0, 1}. 

with respect to the parameters of the scheme used to generate K.. 
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Tracing: Upon recovery of a copy, the designer analyzes its exponent. If do 
or di is found, the leaker is identified and if a third exponent d' appears, both 
users are identified as a collusion. 

4 Analysis 

One can easily show that the essential cryptographic properties of the hash func- 
tion are preserved and that the distribution is 1-copyrighted against passive ad- 
versaries. It seems difficult to prove resistance against general active adversaries; 
however, we show that if such opponents are bound to use circuits performing 
arithmetic operations modulo n, then we can exhibit an analyzer that makes our 
distribution 1-copyrighted. 

Theorem 1: h and H are equally collision-resistant. 

PROOF: Assume that a collision {x,y} is found in h; trivially, {x,y} is also 
a collision in H-, to prove the converse, assume that a collision {x',y'} is found 
in H. Then either h{x'Y = h{y'Y mod n and {x',y'} is also a collision in h, or 
h{x'Y Y h{y'Y mod n and {h{xY mod n, h{yY mod n} is a collision in h. □ 

Lemma 1: Finding a multiple of 4>{n) is as hard as factoring n. 

PROOF: This lemma, due to Miller, is proved in Q. □ 

Theorem 2: If factoring is hard, {H,{do,di}} is l-copyrighted against a 
passive adversary. 

PROOF: Assume, without loss of generality, that an adversary receives the 
implementation H and the key do. Suppose that he is able to find d' Y ^o such 
that H[.,do] — H[.,d']. Then, do — d' is a multiple of 4>{n) and by virtue of 
Miller’s lemma, n can be factored. □ 

Theorem 3: If factoring is hard, then {H, {do, c?i}} is 1-copyrighted against 
an active adversary restricted to performing arithmetic operations modulo n. 

PROOF: (Sketch) We show that an active adversary is not more powerful than 
a passive one. We build Z as follows: Z first extracts the exponentiation part. 
He then formally evaluates the function computed by this part, with respect to 
its constants {ci, . . . , c^} and input x, replacing modular operations by regular 
ones. This yields a rational function P/Q with variable x and coefficients de- 
pending only on {ci, . . . , Cu,}. He finally evaluates all these coefficients modulo 
n. A careful bookkeeping of the non zero monomials shows that either the ad- 
versary has obtained a multiple of (j){n) (and can therefore factor n) or that P 
divides Q. This means that the rational function is in fact reduced to a single 
monomial, from which we can compute the value of the corresponding exponent 
and the security of the construction follows from the security against the passive 
adversary. □ 

Note that resistance against active adversaries is more subtle than our basic 
design: assuming that d is much longer than (p, adding random multiples of p to 
d will not alter its most significant bits up to a certain point; consequently, there 
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is a finite number of ^-bit exponents, congruent to d mod (/> and having a given 
bit-pattern (say u) in their most significant part; the function: h{h{x)‘^' 0ti) will 
thus admit only a finite number of passive forgeries. 



5 Tracing More Users 

Extending the previous construction to more users is somewhat more technical; 
obviously, one can not simply distribute more than two exponents as this would 
blind the collusion-detection mechanism. 

System setup is almost as before: letting t be a security parameter, the de- 
signer publishes a hash function h and t RSA moduli {ni,...,nt}, selects t 
random triples {d[j] < <j)j, k[0, j], k[l, j]} and computes the t pairs: 

j] = c^[j] + for ie{0,l} 

Then, the designer selects, for each user, a f-bit string oj. We will call w the 
ID or the codeword of this user. Each user receives, for each one out of the 
two keys d[0, j], d[l, j] (he receives d[0, j] if the j-th bit of uj is zero and d[l,j] 
otherwise). The exact codeword generation process will be discussed later. 

Let s be a security parameter (0 < s < t). The function is now defined as 
follows: the input x is hashed and the result h{x) is used to select s keys among 
the t keys of a user. For simplicity, let us rename these s keys {oi, . . . , Os} for a 
given user. 

We now define H[x] = H[s, a;] recursively by: 

H[l, x] = h{x°’^ mod ni) and 

H[j, x] = h{H[j — 1, a:]“J mod nj) for j > 1 

A simple (and sometimes acceptable) approach would be to distribute copies 
with randomly chosen codewords. However, by doing so, logarithmic-size col- 
lusions could recover the exponents with constant probability and forge new 
implementations; therefore, specific sets of codewords must be used. Letting C 
be a coalition of c users provided with codewords C can not change 

d[z, j], if and only if all codewords match on their j-th bit. Hence, the problem to 
solve boils down to the design of a set of codewords, amongst which any subset, 
possibly limited to a given size, has elements which match on enough positions to 
enable tracing. This problem was extensively studied in Q which exhibits a set of 
codewords of poly logarithmic (0(log®t)) length, capable of tracing logarithmic 
size coalitions. 

While I’s hidden constant is rather large, our marks are a totally indepen- 
dent entity and their size is not related to the size of the function (which is not 
the case when one adds marks to an image or a text); hence, only complexity- 
theoretic considerations (the hardness of factoring n) may increase the number 
of symbols in H. 
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Finally, the new construction allows to adjust the level of security by tuning 
s accordingly. Although pirates could try to distribute copies with missing ex- 
ponents in order not to get traced, such copies become almost unusable even if 
only a few exponents are omitted. This approach (detecting only copies which 
are usable enough) is similar to the one suggested by Pinkas and Naor in As- 
suming that m of the exponents are missing and that each computation requires 
s exponents out of t, the correct output probability is: 



Pr[t, m, s] 



{t — s)\{t — m)\ 
tl {t — m — s)\ 



Given Pr[t, m, s]’s quick decay (typically Pr[100, 10, 10] = 3/10) and the fact 
that repeated errors can be detected and traced, it is reasonable to assume that 
these untraceable implementations are not a serious business threat. No one 
would buy a pirate TV decoder displaying only three images out of ten (the 
perturbation can be further amplified by CBC, in which case each error will 
de-synchronize the image decryption until the next stream-cipher initialization). 



6 Applications 

Building upon a few well-known results, a variety of traceable primitives can 
be derived from H: Feistel ciphers can be copyrighted by using Ft as a round 
function, traceable digital signatures can use H in Rompel’s construction 
and traceable public-key encryption can be obtained by using | with a com- 
posite modulus (e-less RSA) or by post-encrypting systematically any public-key 
ciphertext with a watermarked block-cipher keyed with a public constant. In- 
teractive primitives such as zero-knowledge protocols or blind signatures can be 
traced using this same technique. 

The construction also gives birth to new fundamental protocols; a web site 
could, for example, sell marked copies of a MAC-function and record in a database 
the user IDs and their exponents. Since all functions are equivalent, when a user 
logs-in, he does not need to disclose his identity; but if an illegitimate copy is 
discovered, the web owners can look-up the faulty ID in the databas(| 

Another application consists of restricting software to registered users. In 
any scenario involving communication (file exchange, data modulation, payment, 
etc), the protected software must simply encrypt the exchanged data with a copy- 
righted block-cipher. Assuming that a word processor systematically encrypts its 
files with a copyrighted block-cipher (keyed with some public constant), unreg- 
istered users face the choice of getting traced or removing the encryption layer 
from their copies (the word processor will then be unable to read files produced 
by legitimate users and will create files that are unreadable by registered pro- 
grams); consequently, users of untraceable (modified) programs are forced to 
voluntarily exclude themselves from the legitimate user community. 

^ care should be taken not to restrict the MAC’s input space too much as polynomially 
small I/O spaces could be published as look-up tables. 
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Finally, our scheme can also be used for TV tracing instead of the usual 
broadcast encryption/traitor tracing techniques. In broadcast schemes, the mes- 
sage is usually block-encrypted, each block being made of a header (which allows 
each user to recover a random key) and a ciphertext block (which is the encryp- 
tion of the data under this random key) . The main advantage of our scheme is its 
very low communication overhead: the header can be a simple encryption of the 
secret key, as all the users receive an equivalent decryption function. There are, 
however, several disadvantages: we totally lose control over the access structure 
allowed to decrypt. This means that new keys need to be sent to all registered 
users from time to time. 

Surprisingly, in our setting smart-cards suddenly become a powerful... piracy 
tool; by programming one of the Hi into a smart-card, a pirate can manufacture 
and distribute executable hardware copies of his function and rely on the card’s 
tamper-resistance features to prevent the designer from reading the exponents 
that identify him. 

7 Conclusion and Open Questions 

We presented a new (public-domain) marking technique which applies to a va- 
riety of functions and relies on regular complexity assumptions; while we need a 
large amount of data to personalize an implementation when many users are in- 
volved, the construction is fairly efficient and can be adjusted to variable security 
levels. 

There remains, however, a number of fundamental and practical questions 
such as the existence of DLP-based copyright mechanisms or the design of a 
copyright mechanism that allows to serve more than two users in a single (non- 
iterated) function. From a practical standpoint, it seems easy to compress the 
set {til . . .Tit} to only N + tlogN bits (this is done by generating t moduli 
having identical MSBs). Reducing the size of the exponent set is an interesting 
challenge. 
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Abstract. Since many applications require the verification of large sets 
of signatures, it is sometimes advantageous to perform a simultaneous 
verification instead of checking each signature individually. The simul- 
taneous processing, called batching, must be provably equivalent to the 
sequential verification of all signatures. 

In eurocrypt ’98, Bellare et al. | presented a fast RSA batch verifica- 
tion scheme, called screening. Here we successfully attack this algorithm 
by forcing it to accept a false signature and repair it by implementing 
an additional test. 

1 Introduction 

Many industrial applications require the verification of large sets of signatures. 
For example, real-time applications such as web-servers or toll-highway gates 
must verify many coins in a short time- frame. A well-known speed-up strategy 
is batching, a probabilistic test that verifies the correctness of n signatures much 
faster than n sequential verifications. Batching is probabilistic in the sense that 
if (at least) one signature is false, the algorithm rejects the whole set with high 
probability but always accepts sets of correct signatures. 

A new batching strategy suggested in ^ (called screening) provides faster 
verification at the cost of weaker guarantees. Just as batching, screening fails 
with high probability if one of the signatures was never produced by the signer, 
but might succeed if the signer signed all the signatures in the past, although 
one of them has since been modified. 

1.1 Batch Verification 

Let ii be a boolean relation taking as input an instance I and outputting a bit 
(meaning true or false) . For example, R can be RSA’s verification algorithm 
where R(x, y) = 1 4=^ x = mod N . 

A hatch instance for R (a sequence {/i, . . . , /„} of instances of R) is said to 
be correct if R{Ii) — 1 for all z = l,...,n and incorrect otherwise (i.e. there 
exists an z S {1, . . . , n} such that R(Ii) = 0). 
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A batch verifier V for i? is a probabilistic algorithm that takes as input a 
batch instance X = {/i, . . . , /„} and a security parameter f and satisfies the two 
following properties : 

1. If A is correct then V outputs 1. 

2. If X is incorrect then the probability that V outputs 1 is at most 2“^. 

If at least one A is incorrect, the verifier must reject X with probability 
greater than 1 — 2“^. In practice, f should be greater than 64, reducing the error 
probability to 2“®^. 

1.2 Signature Screening 

A signature scheme consists of three components : 

1. A probabilistic key generation algorithm generate(l^) -5- {P, S'}, where P 
is the public key and S the secret key. 

2. A private signature algorithm sigrig(M) ^ x where M is the message and 
X the signature. 

3. A public verification algorithm verifyp(M, a;) — > {0, 1}. 

verifyp(M, a;) = 1 a; = signg(M) 

A weaker notion of batch verification, called screening is introduced in Q. 

A batch instance for signature verification consists of a sequence : 

B= {{Mi,a;i},...,{M„,a;„}} 

where Xi is a purported signature of Mi with respect to some public key P. 

A screening test screen is a probabilistic algorithm that takes as input a batch 
instance and outputs a bit. It must satisfy the two following properties : 

1. Validity : correct signatures are always accepted : 



verifyp({Mi, Xi}) = 1 for alH = 1, . . . , n implies screen p{B) = 1 

2. Security : if a message Mi G B was never signed by signg, B will be rejected 
with high probability. 

2 RSA Signature Screening 

Bellare et al.’s screening algorithm for hash-then-decrypt RSA signatures pro- 
ceeds as follows : 

The public key is {N, e| and the secret key is d, where N is an RSA mod- 
ulus, e G encryption exponent and d the corresponding decryption 

exponent \ ed= 1 mod (p{N). Let H he a public hash function. 

The signature algorithm is : 
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sigri{^ jj}(M) = H{M)'^ mod N 
and the corresponding verification algorithm is : 

verify^^_gj(M, a;) = 1 a;® = H{M) mod N 

The security of this scheme was studied in Q, where it was shown that H 
should ideally hash strings uniformly into Z^. This was called the full domain 
hash scheme (FDH). 

FDH-RSA screening ^ is very simple, given N, e, an oracle access to the 
hash function H and : 



{{Mi,a;i},...,{M„,a;„}} with Xi S 

the screener outputs 1 if ( 0 ”=! ^iY = Y\a=i H{Mi) mod N and 0 otherwise. 

The test is efficient as it requires n hashings, 2n multiplications and a single 
exponentiation, instead of n hashings and n exponentiations for the sequential 
verification of all signatures. 



3 The Attack 

The flaw in this screening protocol is based on Davida’s homomorphic attack 
y and reminds the Fiat-Shamir implementation detail pointed-out in Q. By 
repeating a data element a certain number of times, we compensate the forgery’s 
effect and force the verifier to accept an instance containing a piece of data that 
was never signed. The attack is illustrated for e = 3 but could work with any 
reasonably small exponent (although less secure, small exponents are often used 
to speed-up RSA verifications). 

Let Ml ^ M 2 be two messages and X\ = sign_ 5 (Mi) which implies : 

xl = H{Mi) mod N 
Let B' be the batch instance : 

B' = {{Mi,xiH{M 2 ) mod N}, {M 2 , 1}, {M 2 , 1}, {M 2 , 1}} 

Then screen p(R') = 1 although M 2 was never signed. 

An attacker A may thus produce a batch instance which contains a forgery 
(a message that was never signed by the signer) that gets undetected by the 
verifier. In the next section we explain how to prevent this attack and correct 
the scheme’s security proof. 
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4 Preventing the Attack 

To prevent the attack the verifier must check that no message appears more than 
once in the batch. This can be done in 0{nlogn) and suffices to reject B' where 
{M 2 , 1} appeared three times. Note that making the comparison only on Xi will 
not be a satisfactory repair. 

The following corrects the security proof given in Q and shows that screen- 
ing plus message comparisons is provably secure unless inverting RSA is easy. 
Since the security of screening is based on the hardness of RSA, we recall the 
formalization given in Q. 

The security of RSA is quantified as a trapdoor permutation /. The RSAg 
function / : ^ is defined by : 

f{x) = a;® mod N 

which inverse is : 

= y'^ mod N 

where is a fc-bit modulus, product of two (fc/2)-bit primes, e the public 
exponent and d the secret exponent. 

RSAe is said to be (f, e)-secure if an attacker, given a randomly chosen 
y G Z^ and a limited running time t{k), succeeds in finding with prob- 

ability at most e{k). 

The following theorem states that if RSAe is secure, then an adversary can 
not produce an acceptable FDH-RSA screening instance that contains a message 
that was never signed by the signer. The proof assumes the random oracle model 
where the hash function is seen as an oracle giving a truly random value for each 
new query. If the same query is asked twice, the answers are of course identical. 

Theorem 1 : Assume that RSA^ is {t' , e')-secure. Let A be an adversary 
who after a chosen message attack on the FDH-RSA signature scheme, outputs a 
batch instance with n distinct messages, in which at least one message was never 
signed. Assume that in the chosen message attack A makes qs FDH signature 
queries and qu hash queries and suppose that the total running time of A is 
at most t{k) = t'{k) — I7(fc^) x {n + qs + qh). Then the probability that the 
FDH-RSA signature screening test accepts the batch instance is at most e{k) = 
e'{k) X {n + qs + qh)- 

PROOF : The proof is easily derived from the only correction consists in 
ensuring that the equation : 

n n 

y-m'X- n yMi=W Xi mod N 

i—1 

can be solved for y^ = yM,^- Namely that if all the messages Mi in the 
batch instance are distinct, the term yMm differs from the other terms j/M; with 
overwhelming probability and we get : 
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Um — 



n 



■ 



y^i 



mod N 



□ 



5 Conclusion and Further Research 

We have presented a successful attack against Bellare et al. ’s eurocrypt’98 
screening algorithm and a repair that makes it provably secure against signature 
forgery. 

Alternative repair strategies such as the splitting of the batch instance into 
buckets also seem possible although their implementation seems to require more 
delicate security adjustments. 

Note that the repaired algorithm does not formally respect the validity prin- 
ciple stated in section ^Jas the batch instance : 

{{M, H{Mf mod N}, {M, H{Mf mod N}} 

will be rejected (as M appears more than once) although M was correctly 
signed. This is easily fixed by deleting from the batch instance all identical 
signatures except one. 

Finally, it is interesting to observe that the requirement that each element 
must appear only once is probably too restrictive (this point should, however, be 
carefully investigated !) as the attack does not seem to apply when the number 
of identical messages is not congruent to zero modulo e; extending the proof to 
this case does not seem trivial at a first glance. 

Screening DSA-like signatures is a challenging problem : in eurocrypt’94, 
Naccache et al. Q presented a candidate (cf. appendix A) which did not appear 
in the proceedings but seems to be a promising starting point Q. 
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APPENDIX A 

(FROM EUROCRYPT’94’S PRE-PROCEEDINGS) 

The signature collection protocol is : 
for i = 1 to n 

• The signer picks ki Gr and sends Xi = mod p, 

• The verifier replies with an e-bit message randomizer bi, 

• and the signer sends : 

SHA(mi|6i) -I- a;Ai 
Si = ; mod q 

ki 

The batch verification criterion (with cut-&-choose in case of failure) is : 

n . 

n \ WiXi J 1 ^ J 

Xi = g^i=i ^ mod p where Wi= — mod q 

■ 1 
i—l 

This scheme is essentially as fast as a single DSA verification (3(n — l)|g| = 
480n modular multiplications are saved). Its security was assumed to result 
from the following argumentation : assume that j — 1 messages were signed and 
denote : 



j-i 

a = Xi mod p 

i=l 

p = g^i=i mod p 

oiXj 

7 = mod p 
P 

If at this point a cheater can produce a Xj such that he can later solve (by 
some algorithm C{a, ( 3 , Xj, raj, bj,p, q, g, y) = Sj the equation : 

y, ^ gSYiK{mpb,)yX, p 

then he can pick, by his own means, any random couple {bi, 62}, find 

C{a,/ 3 ,Xj,mj,bi,p,q,g,y) = Sj^i 

for i = 1 , 2 and compute directly : 

, SHA(m, |6i)s, 2 — SHA(m, 162)5, 1 
X = ^ mod q 

~ Sj^j 

which satisfies g^ = y mod p and breaks DSA. 

This is proved by dividing formula J for z = 1 by formula | for z = 2, 
extracting 7 from the resulting equality and replacing it back in formulajfor 
z = 1 which becomes g^ = y mod p. 
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Abstract. At Eurocrypt ’96, Coppersmith presented a novel applica- 
tion of lattice reduction to find small roots of a univariate modular 
polynomial equation. This led to rigorous polynomial attacks against 
RSA with low public exponent, in some particular settings such as en- 
cryption of stereotyped messages, random padding, or broadcast appli- 
cations a la Hastad. Theoretically, these are the most powerful known 
attacks against low-exponent RSA. However, the practical behavior of 
Coppersmith’s method was unclear. On the one hand, the method re- 
quires reductions of high-dimensional lattices with huge entries, which 
could be out of reach. On the other hand, it is well-known that lattice 
reduction algorithms output better results than theoretically expected, 
which might allow better bounds than those given by Coppersmith’s 
theorems. In this paper, we present extensive experiments with Copper- 
smith’s method, and discuss various trade-offs together with practical 
improvements. Overall, practice meets theory. The warning is clear: one 
should be very cautious when using the low-exponent RSA encryption 
scheme, or one should use larger exponents. 



1 Introduction 

One longstanding open problem in cryptography is to find an efficient attack 
against the RSA public key cryptosystem In the general case, the best- 
known method is factoring, although the equivalence of factorization and break- 
ing RSA is still open (note that recent results Q suggest that breaking RSA 
might be easier than factoring). However, under certain conditions, more effi- 
cient attacks are known (for a survey, see 0). One of these conditions is when 
the public exponent is small, e.g. 3. This is the so-called low-exponent RSA, 
which is quite popular in the real world. 

The most powerful known attack against low-exponent RSA is due to Cop- 
persmith Py. At Eurocrypt ’96, Coppersmith presented two applications PQ 
of a novel use of the celebrated LLL algorithm Both applications were 
searches for small roots of certain polynomial equations: one for univariate mod- 
ular equations, the other for bivariate integer equations. Instead of using lattice 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 204-^^^ 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 



The Effectiveness of Lattice Attacks Against Low-Exponent RSA 205 



reduction algorithms as shortest vector oracles, Coppersmith applied the LLL 
algorithm to determine a subspace containing all reasonably short lattice points. 
He then deduced rigorous polynomial attacks, as opposed to traditional heuristic 
lattice-based attacks. 

Finding small integer roots of a modular polynomial equation has great prac- 
tical significance, for instance with the low-exponent RSA encryption scheme, or 
the KMOV cryptosystem (see Q). More precisely, in the case of low-exponent 
RSA, such roots are related to the problems of encryption of stereotyped mes- 
sages, random padding and broadcast applications. 

However, Coppersmith did not deal with practical issues: the practical behav- 
ior of his attack was unclear. On the one hand, the method would a priori require 
reductions of high-dimensional lattices with huge entries, in order to achieve the 
theoretical bounds. For instance, with a small example such as 512-bit RSA and 
a public exponent of 3, Coppersmith’s proofs suggest to reduce matrices of di- 
mension over 300, and 17000-digit entries. Obviously, some adjustments need to 
be made. On the other hand, it is well-known that lattice reduction algorithms 
output better results than theoretically expected. Moreover, one could apply 
improved reduction algorithms such as ^3, instead of LLL. Thus, if one uses 
smaller parameters than those suggested by Coppersmith’s theorems, one might 
still obtain fairly good results. 

In this paper, we present extensive experiments with Coppersmith’s method 
applied to the low-exponent RSA case, and discuss various trade-offs together 
with practical improvements. To our knowledge, only limited experiments (see 
I B ) had previously been carried out. Our experiments tend to validate Cop- 



persmith’s approach. Most of the time, we obtained experimental bounds close 
to the maximal theoretical bounds. For instance, sending e linearly related mes- 
sages to participants with the same public exponent e is theoretically insecure. 
This bound seems unreachable in practice, but we were able to reach the bound 
e -|- 1 in a very short time. The warning is clear: one should be very cautious 
when using low-exponent RSA encryptions, or one should use larger exponents. 

The remainder of the paper is organized as follows. In Section 2, we review 
Coppersmith’s method. In Section 3, we recall applications of this method to 
the low-exponent RSA encryption scheme. We describe our implementation, and 
discuss practical issues in Section 4. Finally, Section 5 presents the experiments, 
which gives various trade-offs. 



2 Coppersmith’s Method 



In this section, we recall Coppersmith’s method, as presented in Q. Let N he a 
large composite integer of unknown factorization, and p{x) = + ps-ix^~^ + 

■ ■ • +p 2 x“^ + pix + po, be a monic integer polynomial. We wish to find an integer 
Xo such that, for some e > 0: 



p{xq) = 0 (mod A^) 



|xo| < A = 






( 1 ) 

( 2 ) 



2 
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Q means that we look for a reasonably short solution. We select an integer h 
such that: 



h > max 




( 3 ) 



Let n = h6. For (i,j) G [0..(5— 1] x 1], let the polynomial = x^p{xy, 

for which qij{xo) = 0 (mod W). 

A rational triangular matrix M is built using the coefficients of the polyno- 
mials qij(x), in such a way that an integer linear combination of the rows of 
M corresponding to powers of Xq and yo will give a vector with relatively small 
Euclidean norm. Multiplying by the least common denominator produces an in- 
teger matrix on which lattice basis reduction can be applied. This will disclose 
a certain linear relation satisfied by all sufficiently short vectors. Finally, this 
relation will translate to a polynomial relation on xq over Z (not mod JV) of 
degree at most n, which we can solve over Z to discover xq. 

The matrix M of size (2n — (5) x {2n — 6) is broken into four blocks: 



The n X {n — S) block B has rows indexed by g G [0..n — 1], and columns 
indexed by 7 ( 1 , j) = n + i + {j — 1)5 with (i,j) G [0..5] x [l..h — 1], so that 
n < lihj) < 2n — S. The entry at is the coefficient of x^ in the 

polynomial qij(x). The (n — 6) x (n — 5) block C is a diagonal matrix, with the 
value W in each column 7(7 j). The nx n block A is a diagonal matrix, whose 
value in row g is a rational approximation to where X is defined by 




The rows of M span a lattice. In that lattice, we are interested in a target 
vector s, related to the unknown solution Xq. Namely, we define s = rM, where 
r is a row vector whose left-hand elements are Xg = Xq, and whose right-hand 
elements are = — XqZ/q with yo = p{xo)/N. The vector r and the matrix 

M were constructed in order to make s a short lattice point, with norm strictly 
less than 1. Indeed, s has left-hand elements given by Sg = {xo/ Xp / and 
right-hand elements equal to zero, as = qij(xo) — x^y^X^. In other words, 

the blocks B and C translate the polynomial modular equations qipx). The 
fact that xo satisfies these equations makes the right-hand elements of s equal 
to zero. And the upper bound of 0 on the root xq is expressed by the block A. 
The diagonal coefficients “balance” the left-hand elements of s. 

In traditional lattice-based attacks, one would reduce the matrix M, and 
hope that the first vector of the reduced basis is equal to the target vector ±s. 
But Coppersmith notices that computing this vector explicitly is not necessary. 
Indeed, it suffices to confine the target vector in a subspace, which we now detail. 

As the right-hand elements 6 of the desired vector s are 0, we restrict 
our attention to the sublattice M oi M consisting of points with right-hand 
elements 0, namely M (7 (M” x {0}”“'*). It is possible to compute explicitly this 
sublattice, by taking advantage of the fact that p{x) and hence qij(x) are monic 
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polynomials: certain n — 8 rows of the block B form an upper triangular matrix 
with 1 on the diagonal. J^hus, we can do elementary row operations on M to 
produce a block matrix M of the form: 




where I is the (n — S) x (n — 8) identity matrix. The n x n upper-left block 
represents the desired sublattice: an n-dimensional lattice, of which s is one 
relatively short element. In particular, M and M have the same volume. 

Next, we compute an LLL-reduced basis (bi, . . . , b„) of the matrix M. From 
the theoretical bounds of the LLL algorithm and the value of the volume of M 
(which can be bounded thanks to 0 and Coppersmith proved that any 
lattice point of norm strictly less than 1 must lie in the hyperplane spanned by 
bi, b 2 , . . . , hn-i- In particular, s is such a lattice point. In terms of the larger 
matrix M, there is an n-dimensional space of vectors r such that rM = s has 
O’s in its right-hand n — 8 entries. And those integer vectors r which additionally 
satisfy s < 1 must lie in a space of dimension one smaller, namely dimension 
n — 1. This gives rise to a linear equation on the entries rg,0 < g < n. That is, 
we compute coefficients Cg such that: for any integer vector r = (rg, such 

that s = rM has right-hand entries 0 and |js|| < 1, we must have ^gVg = 0. In 
particular: 

n— 1 

= 0- 

3=0 

This is a polynomial equation holding in Z, not just modulo N . We can solve 
this polynomial for Xq easily, using known techniques for solving univariate poly- 
nomial equations over Z (for instance, the Sturm sequence Q suffices). This 
shows: 

Theorem 1 (Coppersmith). Letp{x) be a polynomial of degree 8 in one vari- 
able modulo an integer N of unknown factorization. Let X be the bound on the 
desired solution Xq- If X < then in time polynomial in {logN,8, 1/e), 

we can find all integers Xq with p{xq) = 0 {modN) and |a;o| < A. 

Corollary 2 (Coppersmith). With the same hypothesis, except that X < 
then in time polynomial in (logAf, 2^), we can find all integers Xq such 
that p{xq) = 0 (modN) and jxol < X- 

Proof. See Q. The result is obtained by applying the previous theorem four 
times, with e = l/log 2 N. □ 

This is a major improvement over the bound A^2/[(5(5-i-i)] -^yhich was previously 
obtained in But, theoretically, one would a priori need the following pa- 
rameters in order to achieve the theoretical bound e = l/log 2 A^ and 

h Ki ((5—1) log 2 N/8'^ . For example, if we take (5 = 3 and a 512-bit number N, this 
means reducing several 341 x 341 matrices with entries at least as large as N^~^, 
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that is 17000-digit numbers ! Unfortunately, that appears to be a drawback of 
Coppersmith’s improvement. Indeed, instead of using only the polynomial p{x) 
(such as in Coppersmith introduced shifts and powers of this polynomial. 

This enlarges the volume of the lattice M, which is what makes the target vector 
more and more short compared to other lattice points, but at the expense of the 
size of the entries. In other words, the larger the entries are, the better the bound 
is supposed to be, and the more expensive the reduction is. This leads to several 
questions: is Coppersmith’s method of any use in real life ? How much can we 
achieve in practice ? How do the practical bounds compare with the theoretical 
bounds ? We will answer these questions in Sections 4 and 5. 



3 Applications to Low-Exponent RSA 

We briefly review some applications of Coppersmith’s method. More can be 
found in Q. 



3.1 Stereotyped Messages 

Suppose the plaintext m consists of two pieces: a known piece B = 2^6, and an 
unknown piece x. If this is RSA-encrypted with an exponent of 3, the ciphertext 
c is given by c = = {B + x)^ (mod IV). If we know B, c and N we can 

apply the previous results to the polynomial p{x) = {B + x)^ — c, and recover 
xo satisfying 

p(xo) = (B + Xo)^ — c = 0 (mod IV), 

as long as such an xq exists with |xo| < The attack works equally well if 

the unknown xq lies in the most significant bits of the message m rather than 
the least significant bits. 

3.2 Random Padding 

Suppose two messages m and m! satisfy an affine relation, say mf = m + r. 
Suppose we know the RSA-encryptions of the two messages with an exponent 
of 3: 



c = w? (mod N) 

c = (m')^ = + 3m^r + 2>mr^ + (mod A^) 

We can eliminate m from the two equations above by taking their resultant, 
which gives a univariate polynomial in r of degree 9, modulo N\ 

r® -I- (3c — 3c')r® -|- (3c® -I- 21cc' -I- 3(c')®)r® + {c — d)^. 

Thus, if |r| < we can theoretically recover r, from which we can derive the 

message m = r(c' -I- 2c — r®)/(c' — c -I- 2r®) (modA^) (see H). 
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3.3 Broadcast Attacks 

As was pointed out in QQ, Coppersmith’s result improves known results of 
Hastad 0. We consider the situation of a broadcast application, where a user 
sends linearly related messages rrii to several participants with public exponent 
€i and public modulus Ni. That is, rrii = aim + j3i (mod Ni), for some unknown 
m and known constants ai and Pi . This precisely happens if one sends a similar 
message with different (known) headers or time-stamps which are part of the 
encryption block. 

Let e = maxci- If k such messages mi are sent, the attacker obtains k poly- 
nomial equations ppm) = 0 (mod A^) of degree < e. Then we use the Chinese 
Remainder Theorem to derive a polynomial equation of degree e: 

k 

p{m) = 0 (mod A), where A = Ni. 

i=l 

And thus, by Coppersmith’s method, we can theoretically recover m if |m| < 
A^/®. In particular, this is satisfied if fc > e. This improves the previous bound 
k > e(e -I- l)/2 obtained by Hastad. 

4 Implementation 

In Section 2, we saw that Coppersmith’s method required reductions of high- 
dimensional lattices with huge entries. This is because the proof uses the param- 
eter £ which induces a choice of h. Actually, e is only of theoretical interest, as 
h is the natural parameter. In practice, one would rather choose h and ignore 
£, so that the matrix and its entries are not too large. To compute the theoret- 
ical maximal rootsize (for a fixed h), one needs to look back at Coppersmith’s 
proof. However, we will obtain this maximal rootsize from another method, due 
to Howgrave-Graham (see Q) . It can be shown that from a theoretical point of 
view, the two methods are strictly equivalent: they provide the same bounds, 
and they have the same complexity. But Howgrave-Graham’s method is simpler 
to implement and to analyze, so that the practical behavior of Coppersmith’s 
method is easier to explain with this presentation. 



4.1 Howgrave-Graham’s Method 

We keep the notations of Section 2: a monic polynomial p(a;) of degree 5; a bound 
X for the desired solutions modulo A; and h a fixed integer. In both methods, one 
computes a polynomial r(x) of degree at most n = hS for which small modular 
roots of p{x) are also integral roots of r{x). In Coppersmith’s method, such a 
polynomial is deduced from the hyperplane generated by the first vectors of a 
reduced basis of a certain n-dimensional lattice. In Howgrave-Graham’s method, 
any sufficiently short vector of a certain n-dimensional lattice can be transformed 
into such a polynomial. Actually, these two lattices are related to each other by 
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duality. Coppersmith uses lattice reduction to find a basis for which sufficiently 
short vectors are confined to the hyperplane generated by the first vectors of the 
basis. But this problem can also be viewed as a traditional short vector problem 
in the dual lattice, a fact that was noticed by both Howgrave-Graham Q and 
jutia 

Given a polynomial r(x) = ^ OiX^ G Z[xJ, define ||r(a;)|| = af. 

Lemma 3 (Howgrave-Graham). Let r(x) G Z[x] of degree n, and let X be a 
positive integer. Suppose ||r(a;X)|| < M/^/n. Ifr{xo) = 0 {modM) and jxol < X, 
then r(xo) = 0 holds over the integers. 

Proof. Notice that |r(a;o)| = Since 

r(xo) = 0 (modM), it follows that r(a;o) = 0. □ 

The lemma shows that a convenient r(x) G Z[x] is a polynomial with small norm 
having the same roots as p(x) modulo TV. We choose such a polynomial as an 
integer linear combination of the following polynomials (similar to the qi j’s of 
Coppersmith’s method): 

g„.,(x) = N^-^-^xy(xr. 

Since a;o is a root of qu,v{x) modulo N^~^, r{xX) must have norm less than 
/ y/n to use the lemma. But this can be seen as a short vector problem in 
the lattice corresponding to the q^.v^xX). So we define a lower triangular n x n 
matrix M whose i-th row consists of the coefficients of qu,v{xX), starting by the 
low-degree terms, where v = [(z — 1)/<5J and m = (z — 1) — 5v. It can be shown 
that: 

det(M) = 

We apply an LLL-reduction to the lattice spanned by the rows of M. The first 
vector of the reduced basis corresponds to a polynomial of the form r{xX). And 
its Euclidean norm is equal to |jr(a;A)||. 

One the one hand, to apply the lemma, we need : 

||r(xA)|! 

On the other hand, the theoretical bounds of the LLL algorithm guarantee that 
the norm of the first vector satisfies: 

||r(a;A)|| < 2("-i)/^det(M)i/" < 

Therefore, a sufficient condition for the method to work is: 

2(n-l)/4j^(n-l)/2^(Zi-l)/2 ^ N^~'^ / ^/n. 

Hence, for a given h, the method is guaranteed to find modular roots up to X 
if: 

" V2 



( 4 ) 
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This is also the expression found by Coppersmith in Q (p. 241). And the limit 
of this expression, when h grows to oo, is ■ But what is worth noticing 

is that the logarithm of that expression, as a function of h, is quite concave (see 
Figure This means that small values of h should already give results close 
to the limits. And hopefully, with a small h, the lattice is low-dimensional and 
its entries are not excessively large. This indicates that Coppersmith’s method 
should be useful in real life. Fortunately, we will see that experiments confirm 
this prediction. 



Fig. 1. Bit-length of the bound X for (5 = 3 and RSA-512, as a function of h. 




4.2 Limits of the Method 

It is well-known that lattice reduction algorithms perform better in practice 
than theoretically expected. And when the LLL algorithm does not provide 
sufficiently short vectors, one can turn to improved lattice reduction algorithms 
such as Schnorr’s Q. However, a simple argument shows that Coppersmith’s 
method and its variants are inherently limited, no matter how good the reduction 
algorithm is. 

Indeed, if we assume that the lattice M to be reduced is “random”, there 
are probably no lattice points of M significantly shorter than det(M)^/", that 
is . And therefore, since the conditions of lemmaH^re quite 

tight, any lattice reduction algorithm will not detect roots much larger than: 

Compared to l|, only the factor l/v^ is removed, which is a very small im- 
provement. Thus, it is likely that when the LLL algorithm fails to provide the 
solution, other lattice reduction algorithms will not help. The bound provided 
by B is probably tight. 
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4.3 Complexity 

In both Coppersmith’s method and Howgrave-Graham’s method, the most ex- 
pensive step is the lattice reduction step. The matrices to be reduced have the 
same dimension n = hS, and the size of their entries are similar. Therefore, from 
a theoretical point of view, the methods have the same complexity. We assume 
that X is chosen less than 

The worst-case complexity of the LLL algorithm is 0{n^dlog^ R) where n is 
the lattice dimension, d is the space dimension and R an upper bound for the 
squared norms of the basis vectors. So the method has worst-case complexity 
0{vP\o^ R) where R is an upper bound for all the \\qu,v{xX)\\'^ . We have: 

\\quAxX)f = . 

All the coefficients of p(xX) are less than iV^. It follows that: 

\\p{xXyf < fv4-||(i + a; + . . . + 



Therefore: 



\\qu,vixX)f < fV2(ft-l-eCx2“(5 + 1 ) 2 ^' < l)2'»-2. 

Thus, the complexity is 0{n^[{2h — A + {25 — 2)/(5)logiV -|- {2h — 2){S + 1)]^), 
that is: 

0(h®(5®[log^ N -h (51og^ N + 5'^ log N + J^]). 

For large N compared to 5, this is 0{h^ 6^ log^ N). And that means large values 
of h and 5 are probably not realistic. It also means that the running time of the 
method should be more sensitive to an increase of h, than an increase of 5, or 
an increase of the size of the modulus N. 



5 Experiments 

Our implementation uses the NTL library of Victor Shoup. Due to the size 
of the entries, we had to use the floating point versions of reduction algorithms 
with extended exponent. Timings are given for a 500 MHz DEC Alpha. We used 
two sorts of computers: 64-bit 500 MHz DEC Alpha using Linux and 64-bit 270 
MHz Sparc Ultra-2i using Solaris. It is worth noticing that for large reductions, 
the Alpha was about 6 times faster than the Ultra. In part, this is because we 
were able to use a 64-bit compiler for the Alpha, but not for the Ultra; and the 
clock frequency of the Alpha is twice as high than the one of the Ultra. 

We implemented both Coppersmith’s method and its variant by Howgrave- 
Graham. The running times and the results are very similar, but Howgrave- 
Graham’s method is simpler to implement. Therefore, the tables given here hold 
for both methods. 
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5.1 Running Times 

Tables 00 show the running time of the reduction stage, as a function 

of the parameter h and the polynomial degree S, for different sizes of moduli. 
The polynomial was randomly chosen. The other parts of the method, such as 
computing the integral roots of the polynomial found, are negligible compared 
to the reduction stage. 

In Section 4, we saw that the worst-case complexity was 0{h^5^ log^ N). The 
running times confirm that an increase in h is more expensive than an increase 
in 5. But the dominant factor is n = /w5. If (5 is not small, only small values of h 
are realistic. And if h is chosen large, only small values of 5 are possible. 

Doubling the size of the modulus from RSA-512 to RSA-1024 roughly mul- 
tiplies by 5 the running times. And doubling the size of the modulus from RSA- 
1024 to RSA-2048 roughly multiplies by 5.5 the running times. From the com- 
plexity, one would expect a multiplication by 8. It turns out that the method 
is practical even for very large N . And therefore, one would expect broadcast 
attacks with small exponent to be practical, as they multiply the size of the mod- 
ulus by the number of linearly related messages, but keep the (low) polynomial 
degree unchanged. 



Table 1. Running time (in seconds), as a function of h and 5, for RSA-512. 



Parameter h 


Polynomial degree 5 


2 


3 


4 


5 


6 


7 


8 


9 


10 


2 


0 


0.04 


0.12 


0.29 


0.57 


0.98 


1.71 


2.8 


4.4 


3 


0.07 


0.34 


1.02 


2.66 


5.71 


11 


21 


36 


56 


4 


0.27 


1.48 


5.09 


14 


33 


64 


120 


191 


318 


5 


0.84 


4.99 


19 


53 


123 


242 


455 


773 


1170 


6 


2.21 


14 


55 


161 


368 


764 


1395 


2341 


3773 


7 


5.34 


37 


150 


415 


919 


1868 


3417 


6157 


9873 


8 


11 


82 


331 


912 


2146 


4366 


7678 


13725 


21504 


9 


21 


166 


646 


1838 


4464 


8777 


17122 


27314 


42212 


10 


38 


323 


1234 


3605 


8343 


15997 


30992 






11 


70 


598 


2239 


6989 


16050 










12 


126 


994 


4225 


11650 












13 


194 


1582 


6598 














14 


311 


2498 


10101 














15 


496 


3967 


16347 















5.2 Experimental Bounds 

For a given choice of h and 5, one can theoretically find roots as large as A = 

where n = hS. However, in practice, one has to use 
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Table 2. Running time (in seconds), as a function of h and <5, for RSA-1024 



Parameter h 


1 Polynomial degree <5 | 




mm 


4 


5 


6 


7 


8 


9 


10 


2 




Qg 


0.37 


0.83 


1.68 


3.02 


5.17 


8.53 


13 


3 




Qg] 


3.76 


9.19 


21 


42 


76 


128 


209 


4 






21 


57 


134 


270 


492 


813 


1306 


5 




El 


82 


238 


541 


1111 


2030 


3426 


5745 


6 






264 


752 


1736 


3423 


6272 


11064 


17040 


7 




1 ^ 


699 


2017 


4521 


9266 


17746 






8 






1623 


4748 


10858 


21662 








9 






3277 


9800 


22594 


44712 








10 






6512 


18608 












11 


^1 




11933 














12 




ggg 


20947 














13 





















Table 3. Running time (in seconds), as a function of h and 5, for RSA-2048 



Parameter h 


1 Polynomial degree 5 \ 




3 


4 


5 


6 


7 


8 


9 


10 


2 




0.46 


1.29 


3.01 


5.93 


11 


19 


31 


48 


3 


|gg 


5.11 


16 


42 


93 


187 


343 


598 


928 


4 




29 


97 


277 


635 


1308 


2386 


4151 


6687 


5 


■E 


107 


405 


1185 


2780 


5616 


10584 


17787 


28458 


6 




337 


1355 


3922 


9129 


18776 








7 




920 


3729 


10697 


25087 










8 




2122 


8697 


25089 


58258 










9 




4503 


18854 


53345 












10 




9313 


36468 














11 




16042 


68669 














12 




28187 
















13 
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floating point versions of lattice reduction algorithms, because exact versions 
(using only integer arithmetic) are quite expensive, especially with this size of 
entries. This means that the basis obtained is not guaranteed to be LLL-reduced, 
and therefore, the upper bound X cannot be guaranteed either. But, in practice, 
in all our experiments, the basis obtained was always LLL-reduced, and thus, 
we have always been able to And roots as large as the bound. Approximation 
problems occur only when the lattice dimension is very high (larger than say, 
150), which was not the case here. When the LLL algorithm failed to provide a 
sufficiently short vector, we applied improved lattice reduction algorithms. But 
as expected (see the previous section), it did not help: the method is inherently 
limited by the value of the lattice determinant. 

We only made experiments with the case of an RSA encryption using 3 as a 
public exponent. Coppersmith-like attacks are useful only for a very small expo- 
nent such as 3, because the polynomial degree must be very small for efficiency, 
and the roots cannot be much larger than the size of the modulus divided by the 
polynomial degree. For instance, a public exponent of 65537 is not threatened 
by Coppersmith’s method. One should also note that these attacks do not re- 
cover the secret factorization: they can only recover the plaintext under specific 
conditions. 

Stereotyped Messages. This case corresponds to 5 = 3. Table ^ give the 
bounds obtained in practice, and the corresponding running times. The bound 
of Q is tight: we never obtained an experimental bound X more than twice 
as large as the theoretical bound. There is a value of h which gives the best 
compromise between the maximal rootsize and the running time. Of course, this 
value depends on the implementation. If one wants to compute roots larger than 
the corresponding rootsize, one should treat the remaining bits by exhaustive 
search, rather than by increasing h. Here, this value seems to be slightly larger 
than 13. 



Table 4. Bounds and running time for stereotyped messages 



Size of N 


Data type 


Parameter h 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


CXD 


512 


Size of X 


102 


128 


139 


146 


150 


153 


156 


157 


159 


160 


161 


162 


170 


Seconds 


0.05 


0.36 


1.54 


5 


15 


36 


82 


161 


308 


542 


910 


1501 




768 


Size of A 


153 


192 


209 


219 


226 


230 


234 


236 


238 


240 


241 


242 


256 


Seconds 


0.09 


0.76 


3.39 


12 


35 


90 


211 


418 


853 


1490 


2563 


4428 




1024 


Size of X 


204 


256 


279 


292 


301 


307 


311 


315 


318 


320 


322 


323 


341 


Seconds 


0.14 


1.28 


6 


23 


66 


179 


393 


823 


1634 


3044 


5254 


9224 





Random Padding. This case corresponds to (5 = 9. Table^give the bounds 
obtained in practice, and the corresponding running times. Note that for this 
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case, the experimental bound X had a few bits more than the theoretical bound 
for small values of h, which is why we added new data in the table. Again, there 
is a value of h which gives the best compromise between the maximal rootsize 
and the running time. This value seems to be h = 6 for RSA-512 and RSA- 
768, and h = 7 for RSA-1024. In all these cases, the running time is less than 
than a few minutes, and the corresponding rootsize is not far from the maximal 
theoretical rootsize (corresponding to h = oo). 

Note that the running time is significantly less than the one given in tables^ 
Jfor (5 = 9. This is because the polynomial of degree 9 is of particular form here, 
as it is quite sparse. 



Table 5. Bounds and running time for random padding 



Size of N 


Data type 


Parameter ft 


2 


3 


4 


5 


6 


7 


8 


9 


10 


OO 


512 


Experimental size of X 


34 


42 


46 


48 


50 


51 


51 


52 


52 




Theoretical size of X 


30 


39 


44 


46 


48 


49 


50 


51 


52 


57 


Seconds 


0.28 


2.07 


8 


29 


76 


190 


396 


769 


1307 




768 


Experimental size of X 


51 


63 


69 


73 


75 


76 


77 


78 


79 




Theoretical size of X 


45 


59 


66 


70 


72 


75 


76 


77 


77 


85 


Seconds 


0.46 


3.76 


17 


55 


163 


396 


835 


1713 


3095 




1024 


Experimental size of X 


68 


85 


93 


97 


100 


102 


103 


104 


105 




Theoretical size of X 


60 


79 


88 


93 


96 


99 


101 


102 


103 


114 


Seconds 


0.74 


6 


28 


97 


298 


733 


1629 


3468 


6674 





Broadcast Applications. We consider the situation of a broadcast applica- 
tion, where a user sends k linearly related messages rrii (built from an unknown 
message m) to several participants with public exponent < e and public mod- 
ulus Ni. Theoretically, Coppersmith’s method should recover the message m, as 
soon as k > e. The problem is that the case k = e corresponds to a large value of 
h, which is unrealistic in practice, as shown in Tabled Table^give the bounds 
obtained in practice, and the corresponding running times for a public exponent 
of 3 (which corresponds to (5 = 3), depending on the number of linearly related 
messages and the size of the modulus N. When one allows e -I- 1 messages, the 
attack becomes practical. We have always been able to recover the message when 
e = 3 and 4 messages are sent, with a choice of h = 4 (the value is ft. = 3 is a bit 
tight). The corresponding running time is only a few minutes, even with RSA- 
1024. For larger exponents (and thus, a larger number of necessary messages), 
the method does not seem to be practical, as the running time is very sensitive 
to the polynomial degree 6 and the parameter ft. 
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Table 6. Bounds and running time for broadcast attacks with public exponent 3 



Size of N 


Messages 


Data type 


1 Parameter h \ 


wm 


mm 


4 


B 


B 




512 


2 


Size of A 






^1 


gg 


gg 


gg 


Seconds 




1^ 


B 


^g 


^g 




3 


Size of A 




^1 


gg 






gg 


Seconds 






B 




igi 




4 


Size of A 




gg 




^g 


gg 


^g 


Seconds 








gg 


^1 




768 


2 


Size of A 




^1 


gg 






gg 


Seconds 






B 




igi 




3 


Size of A 








^g 


^g 


^g 


Seconds 




7 




1^ 






4 


Size of A 


gg 






^g 


gg 


gg 


Seconds 




■a 


^g 




^g 




1024 


2 


Size of A 


gg 


gg 


^g 




gg 


^g 


Seconds 




B 




gg 


gg 




3 


Size of A 


gg 




^g 


^g 


gg 


gg 


Seconds 


igg 


B 


B 


^g 


gg 




4 


Size of A 


gg 


ggj 


mg 


gg] 


igg 




Seconds 






gg 


^g 


mg 





6 Conclusion 

We presented extensive experiments with lattice-based attacks against RSA with 
low public exponent, which validate Coppersmith’s novel approach to find small 
roots of a univariate modular polynomial equation. In practice, one can, in a 
reasonable time, achieve bounds fairly close to the theoretical bounds. We also 
showed that these theoretical bounds are essentially tight, in the sense that one 
cannot expect to obtain significantly better results in practice, regardless of the 
lattice reduction algorithm used. 

The experiments confirm that sending stereotyped messages with a small 
public exponent e is dangerous when the modulus size is larger than e times 
the size of the hidden part (consecutive bits). Random padding with public 
exponent 3 is also dangerous, as while as the modulus size is larger than 9 times 
the padding size. Interestingly, Hastad-like attacks are practical: if a user sends 4 
linearly related messages encrypted with public exponent 3, then one can recover 
the unknown message in a few minutes, even for 1024-bit modulus. Note that this 
improves the former theoretical bound of 7 messages obtained by Hastad. For 3 
messages, one can recover the message if the unknown part has significantly less 
bits than the modulus. 

This stresses the problems of the low-exponent RSA encryption scheme. How- 
ever, it only applies to the case of very small public exponents such as 3. It does 
not seem to threaten exponents such as 65537. And these attacks do not seem 
to apply to the RSA signature scheme with a small validating exponent. 
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Abstract. In Eurocrypt ’98 Okamoto et al. exhibited a new trapdoor 
function based on the use of a special moduli {p^q) allowing easy discrete 
logarithm computations. The authors proved that the scheme’s resistance 
to chosen-plaintext attacks is equivalent to factoring n. Unfortunately, 
the proposed scheme suffers from not being a permutation (the expansion 
rate is = 3), and hence cannot be used for public- key signatures. 

In this paper, we show how to refine the function into a trapdoor per- 
mutation that can be used for signatures. Interestingly, our variant still 
remains equivalent to factoring and seems to be the second known trap- 
door permutation (Rabin- Williams’ scheme | being the hrst) provably 
as secure as a primitive problem. 



1 The Okamoto-Uchiyama Cryptosystem 

In Eurocrypt’98, Okamoto and Uchiyama proposed a new public-key cryptosys- 
tem based on the ability of computing discrete logarithms in a particular sub- 
group. Namely, if p is a large prime and Fp C Z*2 is 

Fp = {x < \ x = 1 mod p\ , 

then Fp has a group structure with respect to the multiplication modulo and 
ttOp = p. The function log(.) : Fp — s- Zp which associates {x — l)/p to x is 
clearly well-defined on Fp and presents interesting homomorphic properties. In 
particular, 



Vx, y G Fp log{xy mod p^) = log(a;) -I- log(y) mod p 
whereby, as a straightforward generalization, 

Vp G Fp, m G Zp log(p"* mod p^) = m log(p) mod p . 



Key Setup. Generate two fc-bit primes p and q (typically 3fc = 1023) and set 
n = p^q. Randomly select and publish a number g < n such that 

9p = mod p^ 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 219-^^^ 1999. 
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is of order p in Z *2 and keep Pp secret (note that Pp G Fp). Similarly, choose 
p' < n at random and publish 

h = 5 '" mod n . 

The triple (n, p, h) forms the public key. The secret key is {p, q). 

Encryption. Pick r < n uniformly at random and encrypt the fc-bit message 
m by : 

c = mod n . 



Decryption. Proceed as follows : 

1 . c' = mod p^ = = p^ mod p^, 

2. m = log(c') log( 5 p)“^ mod p. 

We refer the reader to ^ for a thorough description of the scheme. Although 
provably equivalent to factoring Q as far as chosen-plaintext attacks are con- 
cerned, the scheme suffers from the fact that ciphertexts are about three times 
longer than plaintexts. As a result, it is impossible to use ^’s trapdoor as a 
signature scheme. 

The next section shows how to extend the scheme to a trapdoor permutation 
0 over Z* . Interestingly, the security analysis presented in sectionHshows that 
the new encryption function is still as secure as factoring. 



2 The New Trapdoor Function 



Using the same notations as before, let the message be 3fc — 2-bit long and define 
m = mi\\m 2 where mi < 2^“^, m 2 < 2^^“^ and || stands for concatenation. The 
encryption procedure is as follows. 

Encryption. Split m into mi and m 2 and encrypt by : 

c = m 2 mod n . 

This presents an expension rate of : 



^ log2^ ^ 1 -^ A 

^ 3fc-2“ 3fc 



which is very close to 1 for common values of k. 
Decryption. Compute 

c = mod = p^^ mod j? 

and 



mi = log(c') log( 5 p) mod p , 



as in 



and 



1. deduce m^ mod pq = p mod pq 

2. obtain m 2 mod pq = (m^ mod pg)” ’^od (p-i)( 9 -i) pg 

3. conclude by m = mi||m 2 . 
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3 Equivalence to Factoring 

In this section, we prove the one-wayness of our encryption function under the 
factoring assumption : 

Theorem 1. Inverting the new encryption function is equivalent to factoring n. 

Proof ((sketch)). Assuming that there exists a probabilistic polynomial time 
Turing machine At which decrypts ciphertexts for a given (n, g) with a non- 
negligible probability, we transform M into a PPT machine At' that factors n 
with non-negligible probability. We directly re-use the proof arguments from 
Theorem 6 of []] for showing the statistical closeness of distributions of ci- 
phertexts. Feeding M with g^ mod n for random (k + l)-bit numbers z, we 
need a single correct answer m = mi||m 2 to recover a nontrivial factor of n by 
gcd(z — mi, n). □ 

Alternatively, the encryption and decryption functions can be used for digital 
signatures as well. To achieve this, a signer computes the signature s = si||s 2 of 
the message m such that 



= h{m) mod n , 

where h is a collision-free one-way hash function. Note however that since si G Zp 
and S 2 € Zpg, some information about p and q will leak out at each signature. 
Namely, collecting N signatures (of arbitrary messages) will allow an attacker to 
recover 0(log(iV)) bits of p. We therefore recommand to regularly re-generate 
the scheme’s parameters, possibly according to an internal counter. 

It is worthwhile noticing that our scheme presents underlying homomorphic 
properties which could be useful for designing distributed cryptographic proto- 
cols (multi-signatures, secret sharing, threshold cryptography and so forth). 



4 Further Research 

Okamoto-Uchiyama’s trapdoor technique is inherently new in the sense that it 
profoundly differs from RSA and Difhe-Hellman. It makes no doubt that this 
technique could be declined in various ways for designing new public-key cryp- 
tosystems in near future. 
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Abstract. Public- key implementers often face strong hardware-related 
constraints. In particular, modular operations required in most cryp- 
tosystems generally constitute a computational bottleneck in smart-card 
applications. This paper addresses the size limitation of arithmetic co- 
processors and introduces new techniques that virtually increase their 
computational capacities. We suspect our algorithm to be nearly opti- 
mal and challenge the cryptographic community for better results. 



1 Introduction 

Since most public-key cryptosystems involve modular arithmetic over large inte- 
gers, fast modular multiplication techniques have received considerable attention 
in the last two decades. Although most efforts focused on conventional 8, 16, 32 
or 64-bit architectures (we refer the reader to ^^H), we will specifically consider 
hardwired devices such as cryptoprocessors (see Q). 

Interestingly, most chip manufacturers provide cryptographic cores capable 
of performing fast regular/modular operations (addition, subtraction, modular 
reduction, modular multiplication) on 512 or 1024-bit integers. Although such 
hardware is fully adapted to the processing context required in cryptography, 
it inherits inescapable operand size limitations (conversely, conventional CPUs 
can handle data of quasi-arbitrary length, which is only bounded by the avail- 
able RAM resource). As an illustrative example, one can hardly use a 512-bit 
cryptoprocessor for adding two 768-bit integers (no carry management is pro- 
vided in general) as they exceed the 512-bit arithmetic registers. Subsequently, 
it seems very hard to perform a 768-bit modular exponentiation based on such 
an architecture. More formally, one could define the task as a more general 
computational problem : 

Problem 1. How to optimally implement nfc-bit modular operations using fc-bit 
modular operations ? 

This problem raises interesting both practical and theoretical question^ 
From a cryptographic standpoint, we will essentially focus on designing an nk- 

^ this is somehow related to the formal decomposition of an algebraic operation with 
respect to a set of others. 
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bit modular multiplication in virtue of its immediate utility in modular expo- 
nentiation. Since most complexity-consuming parts will come from fc-bit multi- 
plications, our interest will be to tightly investigate : 

Prohlem 2. How to implement an nfc-bit modular multiplication using fc-bit 
modular operations with a minimal number of fc-bit multiplications ? 

In this paper, we develop new algorithmic techniques that solve Problem | 
for an arbitrary n, if we authorize a Montgomery-like constant to appear in 
the result. Moreover, we propose specifically optimized variants for n = 2 that 
require 9 fc-bit modular multiplications in the general case, and only 6 if one 
of the two operands is previously known like in modular exponentiation. The 
author is strongly confident in the optimality of these bounds and offers a 9' 999 
yens cash reward (as a souvenir from PKC’99) for any better results. 

In next section, we briefly recall the main principles of Residue Number 
Systems (RNS). In section H we introduce the notions of modular and radix- 
compliant RNS bases, show their relevance to ProblemHand give a concrete 
example of their implementation in the context of RSA signatures. Note that we 
will sometimes adopt the notation [aj instead of mod for visual comfort. 

2 Radix Versus Modular Representations 

We begin by briefly introducing radix and RNS integer representations. A re- 
presentation is a function that bijectively transforms a number into a sequence 
of smaller ones. Although there exist various ways of representing numbers, the 
most commonly used is the 2^-radix form: if x denotes a nfc-bit nonnegative 
integer smaller than < 2"^, its radix representation is given by the vector 

(a;) = (a;o,---,a;„-i) , 

where Xi < 2^ for i = 0, . . . ,n — 1 and 

x = xo + xi2’" -k . . . -k . 

Let a = {oi, . . . , Ur} be a set of r arbitrary integers (called set of moduli or RNS 
base) such that 

A = gcd(ai,---,ar) > . (1) 

The modular (also called Chinese in digital signal processing) representation of 
X with respect to this base is the function that associates to x the vector 

<x>a= {x [oi] , . . .,a; [or]) . 

The bijection between an integer and its modular representation is guaran- 
teed by the Chinese Remainder Theorem correspondance More precisely, for 
all a; < A and a fortiori for all x < by noting 

Pi — lcm(ai, ■ ■ ■ ,ar)/ai for i = 1, ■ ■ ■ ,t , 
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and defining 

[aj) for z = 1, • • • , i , 

it is known that 

X = (x [ai] 6*1 -I- • • • + a: [a^] Or) [A] . 

When modular representations are employed in divide-and-conquer compu- 
tation techniques, the RNS base is chosen in such a way that gcd(oi, aj) = 1 for 
increased performance. We will therefore assume the pairwise relative primality 
of the moduli throughout the paper and, as a consequence, Eq. Q yields 

r 

i=l 

Clearly, regular addition and multiplication (relevant only when the result hap- 
pens to be smaller than A) can be efficiently computed componentwise in mod- 
ular representation, that is 

<x + y>a = {{x + y) [ai] ,...,{x + y) [a^]) 

<xy>a = [xy[ai],. . .,xy[ar\) . 

In this setting, evaluating x + y leads to carry-free parallelizable computations. 
Furthermore, multiplying x hy y usually requires less computational resources 
than direct multiplication since 

r 

(log 2 A)^ > ^(log 2 Oi)^ . (3) 

i=l 

This clearly shows one advantage or modular approaches. Interestingly, modular 
representation appears well-suited for computations on large integers, but re- 
mains rather incompatible with common representation in base 2^. This strongly 
motivates deeper investigations of Radix/Modular and Modular/Radix represen- 
tation conversions. The next section sheds light on these specific RNS bases for 
which conversions from one type into an other may be achieved at very low cost. 



3 Fast Representation Conversions 

Definition 3. A set of moduli a = {oi, • • • , Qr} is said to be {N^^f)-modular- 
compliant (respectively {N^^f)-Tadix-compliant) when A > and for all x < 
the conversion 



(x) — > <x>a (resp. <X>a > (x)) 



requires only 0(1) operations of low (at most linear) complexity. 
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It is not obvious that a given set of moduli fulfills compliance regarding con- 
version (x) ^ < X >a, because modular reductions are then to be achieved in 
linear time. Moreover, switching back into radix representation in linear com- 
plexity is even far more intricate. In a general context, getting out a number x 
from its modular representation is done by Chinese remaindering. For achieving 
this with a minimum amount of storage, one cascades Garner’s method that 
computes x < ai 02 given x [oi] and x [ 02 ] in the following way. There exists 
xi < 02 and X 2 < oi such that 



X = x\ai + X [oi] 

= X 2 tt 2 + X [02] , 



wherefrom 



which yields 



xi = xi [02] 



X [02] — X [oi] 
Oi 



[02] , 



X [0102] 



X [02] — X [oi] 



Oi 




oi -I- a; [oi] . 



This combination has then to be iterated r— 1 times on other RNS components to 
retrieve a; = a; [oi • • • o^]. This requires to precompute and store r — 1 constants, 
for instance 



^ [02] 

(0102) ^ [03] 

(oi • • -Or-l)”^ [ttr] , 

or other (computationnally equivalent) precomputable constants, depending on 
the chosen recombination sequence. The total recombination thus requires no less 
than r — 1 modular multiplications all along the computation, that is, implies a 
complexity of 

Radix-compliant RNS bases, by definition, are expected to allow CRT recon- 
struction without any multiplication. By comparison, using them to switch from 
modular to radix representation will only cost log 2 Oj), which assuredly 

reaches a minimum of complexity. 

3.1 Application to RSA Signature Generation 

We show here a concrete example of utilizing radix-compliant bases in the con- 
text of RSA with Chinese remaindering. Suppose that the cryptoprocessor is 
limited to fc-bit modular computations (typically k = 512 or 1024). After com- 
puting the fc-bit integers 



mod p and mod q , 
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one generally uses Garner’s algorithm to recombine the two parts of the signa- 
ture : 

. = + (4) 

The main problem here resides in computing the regular multiplication of the 
two fc-bit numbers q and \p] — m‘^ [g ]) /q \p] since this operation is a priori not 
supported by the cryptographic processor. Although common implementations 
take advantage of the 8 or 32-bit host CPU to externally execute the worlj we 
will preferably rely on a simple radix-compliant RNS base. Setting 

oi = 2^ and 02 = 2^ — 1 , 

one notices that gcd(ai,02) = 1 and s < pq < (2^ — 1)^ < 0102. Additionally, 
for all X = x\2^ + xq such that x < pq, <x>a can be efficiently computed in 
linear complexity since 



X [oi] = Xq 

X [02] = (xi + xo) [02] , 



and conversely, 



xq = X [oi] ( 5 ) 

Xi = {x [02] - X [oi]) [02] , (6) 

which makes (01,02) a (p(7)-radix and modular-compliant RNS base for all p 
and q. As a direct consequence, one can compute <s>a from equation by 
multiplying separately mod oi and mod 02. Finally, the representation of s in 
2^-radix form is obtained by performing steps and Q. 

4 Working in Modnlar Representation 

Let N < X < N and x < N he three nfc-bit numbers given under their 

respective modular representations <x>, <y> and <N> for some RNS base to 
be defined. Although one would preferably compute the direct modular product 
< xy [A^] > , we will authorize a Montgomery-type constant factor to appear in the 
result : it is known that the constant can be left unchanged through an arbitrary 
number of multiplications and eventually vanishes when some additional low- 
cost pre(and post)-computations are done. Montgomery’s well-known modular 
multiplication | is based on a transformation of the form 

xy + {-xyN~^ [B]) N 

xy — ^ ^ , (7) 

where B is generally chosen such that operations mod B and div B are par- 
ticularly efficient (or easier to implement) compared to operations mod N and 

^ this makes the multiplication feasible but is particularly time-consuming. 
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div N. Although B is usually a power of the base in radix representation, we will 
use here for B a product of (-/V„,„)-modular-compliant moduli. Namely (wlog), 

B = bi X ■ ■ ■ X bt . 

We will then choose to compute Eq. Q while working in modular representation 
with respect to the base aU 6 where a = {oi, • • • , Qr} is a ( 7 V,nax)-i'adix-compliant 
base. Observe first that due to representation constraints, all expected interme- 
diate results have to remain smaller than the total product of the moduli, i.e. 
we must have 

N'^ + BN < AB , 

which can be satisfied if A and B are chosen in such a way that 

NL^ + BN^^^<AB . ( 8 ) 

We now describe how to implement Equation B in RNS representation with 
base a U 6. The algorithm is given on Fig.H 



Algorithm 1. 

Input: <x>a\jb, <i/>au6 and < A >„u6 where x, i/ < A and A < A^ax. 
Output: < z >au6 with 2 : = xyB~^ [A] or z = xyB~^ [A] -1- A. 
Precomputations: at = — (A n,< ^bl) ^ [bi] for i = l,t and B ^ [aj] for j = 1, r. 



Step 1 . u\ = X [fei] y [t>i] oi mod 61 , 

Step 2 . U2 = (x [62] y [62] -t uiN [62DQ2 mod 62 , 

Step 3 . U3 = (x [63] y [63] + (mi + &iM2)A [&3])Q3 mod 63 , 



Step t. ut = (x [6t] y [6*] -f (ai -t 61^2 H + OLi biUt-i)N [bt])at mod bt , 

Step t + 1 . For j = 1 to r, compute 



X [ttj] y [aj] -I- (mi + biM2 H + OLi biUt)N [aj] 



n 



li- 



mod a,' 



Step t + 2 convert <z>a^ {z) (low-cost due to radix-compliance of a), 
Step t + 3 convert (z) <z>b (low-cost due to modular-compliance of 6). 



Fig. 1. Montgomery-type Multiplication in Modular Representation. 



The correctness of the algorithm is guaranteed by the following statement : 

Theorem 4 ((Correctness)). Assuming that condition B holds, Algorithrr!^ 
outputs either 



< xyB ^ [A] >auh or < xyB ^ [A] -|- A >au6 ■ 
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Proof. We have to prove (i) that z = xyB ^ [iV] and (ii) that z < 2N. Let 



t-i 

V = Ui + b\U2 + ■ ■ ■ + n ■ 

i=l 

One can easily check that the number xy + vN is a multiple of i? : it is straitfor- 
ward that {xy+vN) [6i] = 0 and by definition of the ais, we get (xy+vN) [bi] = 0 
by induction on i = l,t. Therefore the division (xy + vN)/B is implicitely re- 
alized in Z, and z is a well-defined integer which fulfills the equality (z). (ii) is 
due to B > > N (coming from the (-/V^„)-modular-compliance of b) which 

implies xy + vN < N'^ + BN < 2BN. □ 



Theorem 5 ((Complexity Analysis)). Algorithm^runs in p(n) k-bit mul- 
tiplications where 



^(„) = |f(3n + 7) z/A_< + , 

( §(7n -I- 15) otherwise , 



( 9 ) 



where A„ and Bn are defined as 

f n 

An = max < Qi I {oi, • • • , a„} is radix- compliant and ai < 2^ for z = 1, n > 

r n 'j 

Bn = max < bi \ {b\, • • • , 5„} is modular- compliant and bi < 2^ for z = 1, zz > . 



Proof ((Sketch)). By construction, and bi must be (at most) k-bit integers. 
For z = 1, ... ,t, the z-th step of the algorithm requires z-l- 1 k-bit modular multi- 
plications. Then the r following iterations require t-\- 2 modular multiplications 
each. Therefore, the total amount of fc-bit multiplication can be expressed as 

^ -I- t + r(t -I- 2) = ^(t^ + 2rt -|- 3t -|- 4r) , 

which shows that r and t should be tuned to be as small as possible. The mini- 
mum values of r and t are reached when r = t = n and this forces the inequality 
given by Q because of condition Q. If is greater than the given bound, 
we optimally choose r = rz -|- 1 and t = n. □ 



It is worthwhile noticing that previous works such as Q are based on quite 
a similar approach, but often interleave heavy representation conversions during 
the computation or impose hybrid (MRS) representation of operands. 
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Algorithm 2 . 

Input: <x>aub, <i/>au6 and <N>aub where x,y < N and N < 

Output: < 2 >au6 with 2 = xyB~^ [A] or 2 = xyB~^ [A] + N. 

Precomp. : Qi = -N ^ [6i], 02 = ~{biN) ^ [62], (bib2) ^ [ai] and (6162) ^ [02]- 



Step 1 . ui = X [61] y [61] oi mod 61 

Step 2 . U2 = (x [62] y [62] + mN [62])a2 mod 62 



Step 3 . 2 [tti] 



a; [ai] y [ai] + (ui + 6 iU 2)A [ai] 

— i i — 7—; ^ i — - mod tti 

0102 



^ r 1 x[a2]y[a2] + {ui +biU2)N[a2] 

Step 4 . 2 02 = — — - mod 02 

&1&2 



Step 5 . compute (2) = (21, 20) from (2 [oi] , 2 [02]) and 
Step 6. deduce missing coordinates (2 [61] ,2 [62]) from (2). 



Fig. 2. Double-Size Montgomery Multiplication in RNS base {61, 62, ai, 02}. 



5 Size-Doubling Techniques 

Double-size computations are obtained by in the particular case when r = t = 
n = 2. Then, Algorithm J turns into the algorithm depicted on Fig.^ The 
correctness of the algorithm is ensured by Theorem ^ The (quadratic part of 
the) complexity appears to be of exactly p(2) = 13 fc-bit modular multiplica- 
tions. In the setting of size-doubling, however, this number can be substantially 
decreased by utilizing particular RNS bases {01,02} and {61,62} which, under 
the conditions of compliance and B, also verify useful properties that simplify 
computations of Algorithm^ Namely, the numbers 

61 [oi] 

61 [02] 

[01] 

[02] 

o)"^ [02] or o^^ [oi] , 

have to be as ’’simple” as possible. This is achieved by taking the following 
moduli : 

61 = 2^= -h 1 62 = 2'=-! - 1 

01 = 2'= 02 = 2'= - 1 , 

which happen to be pairwise relatively prime for common even values of k (512 
or 1024 in practice). This choice allows a particularly fast implementation in 9 
fc-bit multiplications as shown on Fig.^ We state : 

Theorem 6. Algorithn^^computes a 2k-hit modular multiplication for any N < 
such that < (2^ -|- 1)(2^“^ — 1) in 9 k-bit modular multiplications. 



Low-Cost Double-Size Modular Exponentiation 231 



Algorithm 3 . 

Input: <x>aub, <t/>au6 and < A >„u6 where x, y < A and A < A^ax- 
Output: <2>au6 with 2 = xyB~^ [A] or z = xyB~^ [A] -I- A. 
Precomputations: ol\ = —N~^ [6i], a.2 = — (6iA)“^ [62]. 



Step 1 . u\ = X [61] X y [61] X «i mod 61 

Step 2 . U2 = (x [62] X y [62] -|- ui x A [62]) x «2 mod 62 

Step 3 . 2 [ai] = —{x [ai] x y [ai] -I- (ui -|- U2) x A [ai]) mod ai 

Step 4 . If 2 [tti] is odd then 2 [ai] = 2 [ai] -|- 2 *^“^ 

Step 5 . 2 [tt2] = —(x [02] X y [02] -I- (iti -|- 2 m2) x A [02]) mod 02 



Step 6. 2i = (2 [02] — 2 [ai]) mod 02 

Step 7 . deduce 2 [61] = (—21 -|- 2 [ai]) mod for and 

Step 8. 2 [62] = (221 -|- 2 [ai]) mod 62- 



Fig. 3. Double-Size Multiplication in RNS base {2^ -1-1,2^ ^ — 1, 2^, 2^ — 1}. 



Proof. Let us first prove the correctness of steps 3 through 8 : 

steps 3 and 4: bi disappears from the general expression (see step 3 of Al- 
gorithm^ because 61 = 1 mod oi ; also (6162)“^ = 62 mod oi and mul- 
tiplying some number g by 62 mod ai leads to —g mod oi if g is even or 
—g mod oi -|- 2^“^ otherwise, 

step 5 : we have 61 = 2 mod 02 ; also (6162)“^ = —1 mod 02, 

steps 6, 7, 8 : are easy to check. 

From the inequality 






< 




due to condition B and A/B = 2 -|- 2/(2^ -|- 1)(2^ ^ — 1), we get 




1-h 2/3(2'= -hl)(2 '=-i-l) , 



wherefrom 

iV„.ax 

Finally, looking at Algorithmjshows that only 9 fc-bit modular multiplications 
are required throughout the whole computation. □ 



As input and output numbers are given in modular representation, Algo- 
rithmjcan be re-iterated at will, thus providing an algorithmic base for double- 
size exponentiation, if modular squaring is chosen to be computed by the same 
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way. Conversions from radix to modular representation in base a U b for the 
message and the modulus will then have to be executed once during the initial- 
ization phase, and so will the conversion of the result from modular to radix 
representation after the Square-and-Multiply exponent-scanning finishes. 



Remark 7. At this level, note also that modular exponentiating leads to con- 
stantly multiply the current accumulator by the same number (the base), say 
< g >aub- As a consequence, the modular multiplier shown above can be sim- 
plified again in this context, by replacing the precomputed constants a\ and 02 

by 

a'l = gai = —gN~^ mod bi , 



and 



a'2 = goi2 = —g{biN) ^ mod bi 
a'2 = Na2 = —bi^ = — - mod 62 , 

O 

and replacing Algorithm^by the more specific multiplication algorithm shown 
on Fig. 5 which uses only 7 fc-bit multiplications. Note that this improvement 
cannot be applied ad hoc for modular squaring. 



Algorithm 4 . 

Input: <x>a\jb, <5>au6 and < A >au 6 where y < A and A < A„ax. 
Output: <z>aub with 2 = xgB~^ [A] or 2 = xgB~^ [A] -|- A. 
Precomputations: q) = —gN~^ [61], Q2 = ~g{b\N)~^ [61]. 

Step 1 . ui = X [61] X q) mod t>i 

Step 2 . U2 = X [62] X «2 + ai X a'2 mod 62 

Step 3 . 2 [tti] = —{x [ai] x y [ai] -|- (ui -|- U2) x A [ai]) mod ai 

Step 4 . If 2 [tti] is odd then 2 [ai] = 2 [ai] -|- 2 *^“^ 

Step 5 . 2 [02] = —(x [02] X y [a2] -I- (ui -f 2 u 2 ) x A [02]) mod 02 

Step 6. 2i = (2 [02] — 2 [ai]) mod 02 

Step 7 . deduce 2 [61] = (—2:1 -I- 2 [ai]) mod 61 and 

Step 8. 2 [62] = (221 + 2 [ai]) mod 62. 



Fig. 4. Double-Size Multiplier in RNS base {2^ -1-1,2^ ^ — 1, 2^, 2^ — 1} specific 
to Modular Exponentiation. 



Remarks. Note also that the multiplication u\ x 02(^2] = ai/3[62] can be 
advantageously replaced by the (linear in k) following operation : 
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1. determine which number among {ui, ui -I- 1, ui -I- 2} is divisible by 3 (using 
repeated summations on ui’s bytes for instance), 

2. divide ui -I- i by 3 in Z by some linear technique as Arazi-Naccache fast 
algorithm (see Q) to get an integer u, 

3. correct the result by adding i times to u modulo 62. 

This decreases the complexity again down to 6 fc-bit multiplications. 

From a practical point of view, the technique is (to the best of our knowledge) 
the only one that makes it possible to perform 2fc-bit modular exponentiations 
on fc-bit cryptographic processors at reasonable cost. 



6 Hardware Developments 

Size-doubling techniques are an original design strategy for cryptoprocessor 
hardware designers. In particular, 

— total independance of computations at steps 3 and 5 of AlgorithmJ(or the 
r iterations at step t -I- 1 of Algorithm^ could lead to a high parallelization 
of computational resources (typically the arithmetic core), 

— the specific choice of the RNS base allows specific treatments of modular 
multiplications, for instance xy mod 2^ and xy mod 2^ — 1, 

— the cascades of steps 1 and 2 of Algorithm H (or the t first steps of Algo- 
rithm J appear to be pipeline-suitable for so-equiped hardware designs. 

— division by 3 using Arazi-Naccache’s fast algorithm can be implemented in 
hardware very easily. 

7 Conclusions 

In this paper, we have introduced new efficient techniques for multiplying and 
exponentiating double-size integers using arithmetic operations over fc-bit inte- 
gers. These techniques are particularly adapted to enhance the computational 
capabilities of size-limited cryptographic devices. From a theoretic viewpoint, we 
state that : 

— multiplying two arbitrary 2fc-bit integers (up to a given bound modulo 

a third 2 fc-bit given number N < leads to a complexity of 9 fc-bit 

modular multiplications essentially, 

— multiplying an arbitrary 2 fc-bit integer by a 2 fc-bit given number modulo a 
third 2 fc-bit given number N < leads to 6 fc-bit modular multiplications. 

Although we believe that no other algorithm could offer better results regarding 
Problem^ the bounds we provide are not proven optimal so far, and the question 
of showing that minimality is reached or not remains open. 
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Abstract. Recently Biham and Shamir announced an attack (Dif- 
ferential Fault Analysis, DFA for short) that recovers keys of arbitrary 
cryptosystems in polynomial (quadratic) complexity. In this paper, we 
show that under slightly modified assumptions, DFA is not polynomial 
and would simply result in the loss of some key-bits. Additionally, we 
prove the existence of cryptosystems on which DFA cannot reach the 
announced workfactor. 



1 Introduction 

Boneh, DeMillo and Lipton’s 1997 paper suggesting a cryptanalytic ap- 
proach based on the generation of hardware faults, motivated investigations on 
either improving the attacks (see , or evaluating its practicality 

Extending fault-based attacks to block-ciphers Q, Biham and Shamir de- 
scribed a cryptanalysis of DES with 200 ciphertexts where one-bit errors were 
assumed to be induced by environmental stress. In the same authors ex- 
plored another fault model based on memory asymetry and introduced Differen- 
tial Fault Analysis as a tool for breaking unknown cryptosytems. 

In this paper, we further investigate DFA in the context of unknown cryp- 
tosystems. We show that under slightly modified assumptions, DFA would simply 
amount to the loss of some key-bits. Additionally, we prove the existence of cryp- 
tosystems on which the original attack cannot reach the workfactor announced 

in 0. 

2 The Differential Fault Model 

The main assumption behind DFA’s fault model consists in approximating the 
physical properties of memory devices by a perfect asymetric behaviour. In other 
words, when submitted to physical stress, EEPROM cells containing key bits 
would only be expected to switch off from ones to zeroe^ In this setting, Biham 

^ or alternatively from zeroes to ones depending on the technology-dependant coding 
convention. 



H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 235-^^^ 1999. 
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and Shamir’s approach consists in applying successive stress pulses to an n-bit 
key register between repeated encryption requests of the same message m. As 
a result, the sequence of ciphertexts {cq, • • • , c^} returned by the device will 
correspond to a sequence {fco, • • • , of keys obtained from the original key ko 
by resetting the 1 bits one by one up to the empty key kr = 0” where r ~ n/2. 
We will hereafter denote by kt kt+i the binary relation is obtained by 

flipping the z-th bit of fct” . 

During the second phase, the attacker retrieves the 1-bit positions in ko by 
backtracking. Supposedly able to replace the key register by any data of his 
choice, he simply explores the sequence • • • , ko} by searching at each step 
kt+i — > kt the missing position of the 1-bits. This is done in at most 0(ri^) 
encryptions. 

Let us assume that the register bits induce independent random sequences 
and denote by pi the probability (uniform over all bits) of flipping a one bit to 
a zero during a stress pulse. Naturally, pi’s value would entirely depend on the 
employed technology, the amplitude, nature and specific physical parameters of 
the attack’s environment. We will denote by pi^i the value of pi during the z-th 
stress period. 

Since pi^i is intentionally small, it appears that particular events for which 
h(ki-i) — h(ki) > 2, where h denotes the Hamming weight, happen with neg- 
ligible probability : as a consequence, we always have h{ki) = h{ki-i) — 1 for 
all z = 1, . . . , r. Let nt be the number of identical ciphertexts generated consec- 
utively by the same key ki-i ; nt may also be looked upon as the number of 
attempts necessary to erase a bit from the current key while applying the z-th 
stress pulse. Basically, we have : 



and therefore. 



N = 






1 

1 - {I - pi^i)h(ki-i) 



-E 



1 

pi^ih(ki-i) 



h(ko) 

E 



i=l 



1 

PiAHko) + 1 



i) ' 



If pi^i = Pi is kept constant throughout the attack, the total average number of 
encryptions is : 



h{ko) 

- y i 

Pi ^ {h{ko) -k 1 - z) 
Pi 2 h(ko) 



) 




(2) 
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Since N grows logarithmically with n for small pi , there is no need to impose a 
particular pi^i sequence to minimize N. The attacker can thus apply successive 
constant-strength pulses throughout the attack. In this respect, the next section 
refines []]’s model and analyses its characteristics. 

3 A More Elaborate Model 

Biham and Shamir’s DFA relies on a strong asymetric assumption. In this sec- 
tion, we show that under slightly modified hypothesis, the attack inherits an 
inescapable exponential workfactor. 

3.1 The Zero-Probability Assumption 

Although some specific types of memories do present an asymetric behavior 
when submitted to certain physical stimuli, tamper-protected EEPROM cells 
are usually efficiently protected from specific external influence^ 

However, one may still try physical/chemical/electronical attacks (or a si- 
multaneous combination of these) on a protected chip, even though this implies 
more intricate operations and totally unpredictible results. This being said, we 
will focus our investigation on registers that are characterized by a weaker differ- 
ential influence, i.e. for which stressing the targetted zone flips some one bits to 
zeroes, while a much smaller fraction of zero bits is supposed to be transformed 
into ones. 

3.2 Flipping Key-Bits: A Statistical Equilibrium 

Assuming that some zero bits of the key register may additionnally flip to one 
bits with a small probability during physical stress pulses, the attacker (whose 
aim still remains to shift one bits into zero bits) cannot avoid to simultaneously 
cause a back-to-one-fiipping phenomenon. 

Let po be the probability of dipping a zero bit to a one. As in section | this 
probability is assumed to be uniform over all the register bits. Now consider the 
sequence h(ki) formed by the Hamming weights of successive keys stored in the 
device. The average number of one bits that disappeared during the z-th stress 
pulse is Ui = riipih{ki-i) . At the same time about Zi = riiPo{n — h{ki-i)) zeroes 
have been replaced by ones. Since po < Pi and noting that n — h{ko) ~ h{ko), 
we have necessarily zi < ui. As the number of zero bits in the key n — h(ki-i) 
increases in time, more and more zero-to-one transformations become likely to 
occur and Zi increases as Ui constantly decreases. The equilibrium is reached 
when Ui = Zi and the sequence h{ki) thus converges to an hoo such that : 

Pihoo = Po{n - hoo) , 

^ many smart card components contain security detectors that flush all the memory 
contents or reset the microprocessor if an abnormal event occurs (UV rays, clock 
glitches, depassivation, Vcc fluctuations, etc.). 
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that is 

, _ npo _ 

/T-qq — — Ck,71j . 

Po+Pl 

This equation expresses a statistical equilibrium, in which one-to-zero and zero- 
to-one inversions expectedly compensate each other. As a consequence, the fam- 
ily of faulty keys ki will never stabilize on any particular key, but will oscillate 
inside the whole range of keys of Hamming weight hoo (there are (^“) such 
keys). 

As an example, in the (favorable) case when a is Gilbert- Warshamov’s con- 
stant a = 0.11 {po = 0.1235 x pi), we get : 




Hence, although this type of DFA would allow the extraction of a part of the 
key, it will still remain exponential in n. 



4 DFA-Immune Cryptosystems 

In this section, we explore the original model’s boundaries. Indeed, although Bi- 
ham and Shamir will retrieve in theory the secret key from most cryptosystems, 
there exist DFA-immune cryptosystems. 

In particular, specific implementations may present key-verifying mecha- 
nisms, providing a brief detection of a priori dangerous characteristics of the 
key, whenever encryption is sollicited. In this respect, key-checking operations 
may guarantee the use of random bit-patterns and are therefore expected to pro- 
tect the cryptographic function against transmission errors or incorrectly chosen 
keys. The following illustrative example spots keys for which the difference be- 
tween the number of zero-bits and one-bits is too large : 

• H{k) = k if \h{k) — §| < m , 

• i?(fc) = 0” otherwise . 

In this case, the key is replaced by 0 if its Hamming weight is too far from 
n/2. Under other implementations, the second event may just cause an internal 
function status flag to flip and an error is returned. Applying a DFA on such 
a design makes the first attack stage stop after ~ m encryptions. This, when 
completed by brute-force research, would result an 0{2^~™^mn) complexity, 
which is exponential in n again. 



4.1 Differential Fault Analysis on Parity-Protected Keys 

Some error-detecting mechanisms use a part of the key material to authenticate 
the bits involved in the encryption process. A typical example is the DES key 
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format defined by the NIST where a 7-Wte key is parity-protected by an ad- 
ditionnal byte spread over the key string According to the standard, the 8-th 
bit of each key byte is computed by complementing the xor of the 7 other bits. 
To motivate further analysis, we will denote a parity-checking predicate U on a 
bitstring k as : 

1. a partition k = (fc^, • • • , k'^) over k’s bits into d key-blocks, 

2. a set of d boolean functions /i, / 2 , ■ • ■ , /d where each fi is a linear function 
of ki- 

3. a d-bit vector v 

Obviously, k fulfills a given V when fj{k^) = Vj for all j. We will then denote by 
V the set of keys satisfying V. From the generic description of V given above, 
let us define on all n-bit strings the function (f) : {0, 1}" — s- {0,1}'^ such that : 

= (3) 

It is clear that (f>{k) = if and only if fc G V, that is V = Ker((/)) ; (f) can 
thus be seen as a canonic indicator of V since its non-zero components indicate 
those blocks of k for which fj{k^) yf Vj. From the linearity of the fjS, we can 
also infer that : 

, ,, /,/,x ,/,/xM if bit i is in fcA 

k^.t' ^ = „therwi» W 

expressing the fact that flipping a 1-bit of fc to 0 will only make cf>{k) and 4>{k') 
differ at one coordinate. As a direct property, one can show that we necessarily 
have : 



{ki,k 2 )£V^ ^ |h(fci) — h(fc 2 )| is even. (5) 

Let us now assume that the device, sollicited to encrypt some constant message 
using the stored key k, spontaneously checks if fc G V and returns an error if not. 



The Descent Stage. Since fco G V, the descent stage starts by making the 
device behave normally, that is, encrypt all given messages. After the first pulse, 
the memory contains fci which, due to Eq. Q, does not belong to V anymore. 
The attacker is then forced to apply successive stresses until the device re-accepts 
to encrypt (in which case the current key ki belongs again to V) and collect a 
sequence of valid keys which eventually may allow him to extract useful infor- 
mation about the initial key fco during the reconstruction stage. The end of the 
descent, caracterized by the sequence of keys {fco, fci, • • • , fcr} where r = fc(fco) 
and stabilized on the all-zero key, is detectable only if 0" S V. 

® the ANSI X3.92 standard recommends the systematic use of parity-checking before 
encrypting. 
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Fig. 1. Statistical search sequence in {0, 1}” of valid keys (crosses). 



The obtained information about fcp thus depends on the average total number 
N of different plain/ciphertexts pairs for which keys comply with the integrity 
checking predicate. In this section, we will search a tight estimation of N. 

For a given ko, let Wt represent the set of all possible sequences {fco, fci, • • • , 
kr} likely to appear throughout the descent stage and W those sequences that 
contain a, ki G V for z > 0. For w G W, we will note |w| the smallest strictly 
positive index i such that ki appears in w and ki G V. The probability that the 
descent fails is then : 

P [failure] = E rlH, (6) 

w G Wt — W 

and in this case, naturally, the attack will not give any particular advantage over 
a direct exhaustive search on fcp. Conversely, in case of success, we have for all 
w gW 

P\w] 

P \w I success] = —7 tP [success | w] 

P [success] 

P [w] 

For commodity, the normalized probability P [w | success] will be refered to as 
P (w). The average number of pulses to be applied on fco before obtaining a valid 
key during a succesfull descent stage is then : 

t= |w| P{w) . (7) 

w^W 

To each w = {fco, • • • , fcr} G Wt, one may then associate (j){w) as the collec- 
tion {(j){ko), ■ ■ ■ , (j){kr)}. Because of Eq. B and the fact that fco G V, (j){w) can 
be seen as a path in the natural graph induced by {0, 1}'^ which, starting from 
the origin, follows the natural edges, that is, in one dimension at a time. 
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Fig. 2. Evolution of 4>{kt) in {0, as t increases. The created circuit may 
appear for more than one key sequence w, i.e. (j) is not injective. 



From its definition given above, one can deduce that W is exactly the set 
of sequences w for which <t>{w) is prefixed by a cycle starting and ending in 0"^. 
Denoting by C the set of such cycles and by |c| the length of c G C, we have for 
all c : 

|w|P(w) = |c| Y P{w) = \c\P{c) . 

realizes c} realizes c} 

Gathering terms in Eq. ^ therefore yields : 

t = Y\c\P{c), ( 8 ) 

cGC 

which relates to a classical graph calculation, as soon as the flipping probability 
remains uniform over all the key bits; the result is known to be : 

t = 2^ , (9) 



if cycles are accepted to be of arbitrary length. In our case |c| < r, and we will 
consider that Eq. Q holds while imposing r > 2^^. As a result, the total number 
N of successful encryptions should be close to : 



iV ~ ~ ^ 

“ t ~ 2d+^ 



( 10 ) 



The Key-Recovering Stage. To retrieve fco, the attacker explores the se- 
quence {fco, • • • , fcr} backwards by positionning the r missing 1-bits as in section 
B The descent stage having brought the knowledge of valid keys in the sequence, 
he will face an additional workfactor coming from the gaps between those keys. 
Basically, the total complexity of the whole attack may be written as : 

N X n* = 



2d 



( 11 ) 
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Although this expression remains polynomial in n, the exponent 2'^ appears to be 
strongly dissuasive. Additionally, one notices that the average complexity grows 
(essentially) exponentially with d, which can then be tightly tuned {d < n) to 
reach an optimal protection against DFA. 



4.2 Authenticating the Key 

Similarly, various practical implementations of key-safety mechanisms use hash 
functions in order to authenticate the key : the CRC is then included in the 
key material. In a scenario where the critical data are stored in EEPROM as 
P{ko\\H{ko) mod 2™) where H is a one-way hash function, P a secret permu- 
tation over the bit indexes of the key register and m a basic security parameter, 
flipping random key bits to zero results in a non-informative result, with a 1— 
probability. If h{ko) is the Hamming weight of the original key, the average total 
number of plain/ciphertext pairs successfully extracted from the device is : 

_ 2— X hjko) 

1 - 2 “"* ’ 



i.e. roughly 

N = - 

2m+l _ 2 ’ 

which reaches 0 as soon as [log(n)] < m. This means that adding a [log(n)]-bit 
CRC to the key guarantees a statistical inefficiency of DFA. 



4.3 Key Equivalence 

In this section, we notice that, if the data stored in the EEPROM are used to 
compute an effective key, the proposed attack may only recover partial infor- 
mation about the original data. More specifically, it may disclose a key which 
is computationally equivalent to the genuine one. As a typical illustration, con- 
sider the simple (cryptographically inefficient) design in which a plaintext m is 
encrypted by : 



c = DES [fc 0 fc] (m) , 

where the 112-bit key is k = k\\k. Applying DFA on this particular design allows 
the attacker to retrieve an equivalent k' such that 

F0^=fc0fc, (12) 

but recovering the original key k information-theoretically imply a 2®®-step brute 
force research. In a more general context, DFA-immunity appears on cryptosys- 
tems which key input is fed by a non-injective function. 
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4.4 Intrinsic DFA-Immunity 

Clearly, other cryptographic schemes present DFA-resistant features. In partic- 
ular, any probabilistic algorithm such as El Carnal encryption or DSA signature 
scheme basically involves randomized computations which could not allow the 
attacker to perform the descent stage nor the key retrieval phase with a non- 
negligible probability. In this case indeed, the attacker could not link ciphertexts 
(or signatures) to the message m when the function has processed a faulty secret 
key, and the attack simply cannot be successful. 

5 Concluding Remarks 

We investigated the relevance of Differential Fault Analysis in particular contexts 
and showed that although the attack may sometimes offer substantial theoretical 
benefits, simple algorithmic countermeasures exist. This points out that DFA 
issues should essentially be looked upon as a research subject related to prudent 
engineering ^ and implementation-dependent security recommandations. 
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Abstract. This paper concerns the barriers to interoperability that ex- 
ist between the X.509 and EDIFACT Public Key Infrastructures (PKI), 
and oroposes a method to overcome them. The solution lies in the DED- 
IC/J (Directory based EDI Certificate Access and management) TELEM- 
ATIC Project, funded by the European Union. The main objective of this 
project is to define and provide means to make these two infrastructures 
inter-operable without increasing the amount of information that they 
have to manage. The proposed solution is a gateway tool interconnecting 
both PKIs. The main purpose of this gateway is to act as a TTP that 
“translates” certificates issued in one PKI to the other’s format, and 
then signs the translation to make it a new certificate. The gateway will 
in fact act as a proxy CA for the CAs of the other PKI. 



1 Introduction 

The growth and expansion of electronic means of communication has led to 
a need for certain mechanisms to secure these communications. These services 
are mostly based on asymmetric cryptography, which requires an infrastructure 
(PKI) to make the public keys available. Several initiatives around the world have 
led to the emergence of PKIs based on X.509 certificates, such as SET (Secure 
Electronic Transaction) or PKIX (Internet Public Key Infrastructure). X.509 is 
the authentication framework designed to support X.500 directory services. Both 
X.509 and X.500 are part of the X series of international standards proposed by 
the ISO and ITU. 

Another type of PKI is the one based on EDIFACT certificates. Electronic 
Data Interchange (EDI) is the electronic transfer from one computer to another 
of commercial or administrative documents using an agreed standard to structure 
the transaction or message data. In the EDI world the internationally accepted 
standard is EDIFACT (EDI For Administration Commerce and Trade). Expert 
groups from different areas work on the development of EDIFACT compliant 

^ This project has been funded by the EC (TE-2005) and the Spanish government: 
CICYT (TEL-96/ 1644-CE), and has been selected by the G8 as one of the pilot 
projects to promote the use of telematic applications in SMEs. 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 245-^^^ 1999. 

© Springer-Verlag Berlin Heidelberg 1999 
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messages, producing UN/EDIFACT (a set of internationally agreed standards, 
directories and guidelines for the electronic interchange of structured data) Q. 
EDIFACT syntax defines a way of structuring information from a basic level 
involving sequences of characters (representing numbers, names, codes, etc.) to 
the highest level (the interchange) including sequences of messages (the elec- 
tronic version of paper documents), which in turn are made up of sequences of 
qualitatively relevant pieces of information, the segments (to represent date and 
time, for instance), just as in paper documents one can link pieces of related in- 
formation. The EDIFACT certificates are encoded in EDIFACT syntax, and are 
formed by segment groups related to general certificate information, algorithm 
and key information and the CAs (Certification Authority) digital signature 
(USC-USA(3)-USR). Since EDIFACT certificates are structured and encoded 
using EDIFACT syntax, they can be included within EDIFACT messages. 

These infrastructures are not interoperable, mainly due to the fact that the 
certificates and messages are coded differently. 

1.1 DEDICA Project: A Solution to the Problem of Interoperability 
between the X.509-based PKI and the EDIFACT PKI 

DEDICA (Directory based EDI Certificate Access and management) is a research 
and development project established by the European Commission under the 
Telematics Applications program. Its main objective is to define and provide 
means to make the two above-mentioned infrastructures inter-operable without 
increasing the amount of information the must manage. The proposed solution 
involves the design and implementation of a gateway tool interconnecting both 
PKIs: the certification infrastructure, currently available, based on standards 
produced in the open systems world, and the existing EDI applications that 
follow the UN/EDIFACT standards for certification and electronic signatures 
mechanisms. 

The main purpose of the gateway proposed by DEDICA is to act as a TTP 
(Trusted Third Party) that translates certificates issued in one PKI to the others 
format, and then signs the translation to make it a new certificate. For instance, 
any user certified within an X.509 PKI could get an EDIFACT certificate from 
this gateway without having to register in an EDIFACT Authority. The gateway 
will act in fact, as a proxy CA for the CAs of the other PKI. 

The tools developed for the gateway can also be used in systems with a 
mixture of components, as they can allow CAs in one of the PKIs to behave as 
CAs in the other one. This gives a broader scope to the work and means it, could 
now be the starting point for further specifications and developments leading to 
inter-operability among other currently emerging PKIs (SPKI for instance). 

In the figure below the DEDICA gateway context is shown. Each user is 
registered in his PKI and accesses the certification objects repository of this 
PKI. The DEDICA gateway must be able to interact with the users of both 
PKIs in order to respond to their requests. It must also be able to access the 
security objects stores of both PKIs, and to be certified in EDIFACT and X.509 
CAs. 
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EDIFACT X509 



Fig. 1. DEDICA gateway context. 

2 Functionality of the Gateway 

The problem of interoperability between the X.509 and EDIFACT PKIs was 
approached on two levels by the DEDICA project: the different formats of the 
certificates and the different messages interchanged by the PKI entities. 

To deal with the former, the DEDICA consortium, after in-depth study of 
the contents of both types of certificates, specified a set of mapping rules which 
permit two-way translation of both types of certificates. 

In the case of the differences in messages and certification services: whereas 
in the EDIFACT world the UN /EDIFACT KEYMAN message is used to provide 
certification services, in the X.509 world a set of messages specified for each PKI 
(such as PKIX in Internet for instance) is used. 

The DEDICA gateway is able to offer four services: 

1. A request for an EDIFACT certificate from an X.509 certificate generated 
by an X.509 CA. 

2. Verification of an EDIFACT certificate generated by the DEDICA gateway 
(from the mapping of an X.509 certificate). 

3. A request for an X.509 certificate from an EDIFACT certificate generated 
by an EDIFACT CA. 

4. Verification of an X.509 certificate generated by the DEDICA gateway (from 
the mapping of an EDIFACT certificate). 

Figure I shows the DEDICA gateway context. This context is the following: 
An X.509 PKI with CAs, users and X.500 Directory access (the Directory op- 
erating as a repository of security objects), an EDIFACT PKI with CAs and 
users, and the DEDICA gateway, certified by CAs in both PKI and access to 
X.500 Directory. 

The DEDICA gateway defines the terms Initial certificates and Derived cer- 
tificates as follows: 
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Initial Certificate: any certificate supplied by the Certification Author- 
ity of any Public Key Infrastructure (EDIFACT or X.509). 

Derived Certificate: certificate deriving from an initial certificate, gener- 
ated by the DEDICA gateway through the mapping rules defined by DEDICA. 
The derived certificate depends on the initial one; if the initial certificate is 
revoked, then the derived certificate is also considered to be revoked. 



2.1 Request for a Derived Certificate 

In the scenario shown in figure 1, an X.509 user (user X) may wish to send 
EDIFACT messages to an EDIFACT user (user E) using digital signatures or 
any security mechanism that implies the management of certificates. This user 
needs a certificate from the other Public Key Infrastructure (in this case, the 
EDIFACT PKI). He then sends an interchange to the gateway requesting the 
production of an “equivalent” EDIFACT certificate. This interchange will con- 
tain a KEYMAN message (indicating a request for an EDIFACT certificate) and 
the X.509 certificate of this user in an EDIFACT package (EDIFACT structure 
able to carry binary information). 

The gateway will validate the X.509 certificate. If the certificate is valid 
(the signature is correct, it has not been revoked, and it has not expired), it 
will perform the mapping process, and will generate the new derived EDIFACT 
certificate. After that, the gateway will send it to user X within a KEYMAN 
message. 

Now user X can establish communication with user E using security mecha- 
nisms that imply the use of electronic certificates through the derived EDIFACT 
certificate, by sending an EDIFACT interchange with this derived certificate. 



2.2 Validation of a Derived Certificate 

The DEDICA gateway also validates derived certificates at users request. 

Continuing with the process described in the previous section, user E, af- 
ter receiving the interchange sent by user X, requests validation of the derived 
certificate by sending the corresponding KEYMAN message to the gateway. 

The gateway determines whether the EDIFACT certificate has been gener- 
ated by itself, and proceeds with the validation of the original X.509 certificate 
and the derived EDIFACT certificate. It will have to access the X.500 Distributed 
Directory to get both the original X.509, and the necessary Certificate Revoca- 
tion Lists (CRL) for this process of certificate validation. The general process 
for the validation of derived certificates is the following: 

1. First the validity of the derived certificate is verified. This implies checking: 

(a) That the signature matches the public key of the gateway. 

(b) That the certificate is within the validity period. 

2. The X.500 Distributed Directory is accessed in order to obtain the original 
X.509 certificate and the necessary Certificate Revocation Lists. 
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3. The signature of the original certificate is verified and the validity period is 
checked. 

4. The gateway verifies the certification path of the original X.509 certificate, 
and checks that the certificates have not been revoked. 

If these steps are successfully accomplished, then the derived EDIFACT cer- 
tificate can be considered as a valid certificate, and the gateway will send the 
validation response to the EDIFACT user within a KEYMAN message. 



Request for certificate 

KEYMAN 
-► UNOX509 -► 

< ► 

^ KEYMAN ^ 

UserX (EDIFACT Cert) 




DEDICA 
f CertMapI 






V / 




UserX 



Secured Interchange 



& EDIFACT 
Certificate 





U»rE 




UserE 




UserX 



Validation of a derived certificate 



DEDICA 
fceniinap ) 

f ManqMap ] 



y 



KEYMAN 

.^-^EIFACT Cert>^|=| 

— ► KEYMAN — 

(Valid.resulO UserE 



Fig. 2. Functionality of the DEDICA gateway. 



3 Architecture of the Gateway 

The DEDICA gateway is made up of two main architectural blocks: The 
CertMap and the MangMap module. The former is responsible for mapping 
the certificates, and the latter converts the functionality of the KEYMAN mes- 
sage into equivalent X.509 PKI operations (including X.500 access). 



3.1 CertMap Module 

The CertMap module is the module in charge of mapping certificates following 
the mapping rules that have been defined by the DEDICA project. Its operation 
will be launched by the MangMap module, which will give to it the needed input. 
There will be two possible different inputs to the CertMap module: 

— A X.509 certificate DER coded. 
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— An EDIFACT certificate coded following the rules of UN /EDIFACT syntax. 
There will be three possible different outputs from the CertMap module: 

— A derived EDIFACT certificate coded according to the UN/EDIFACT syn- 
tax rules, if the input to the CertMap was a X.509 certificate DER coded 
and the derivation process has been successfully completed. 

— A derived X.509 certificate DER coded; if the input to the CertMap was 
an EDIFACT certificate and the derivation process has been successfully 
completed. 

— An error indication if it has not been possible for the CertMap to complete 
the generation of the derived certificate. 



Comparison between X.509 and EDIFACT Certificates. The CertMap 
module accomplishes the two- way translation of the certificates. It receives as 
input an EDIFACT certificate (printable characters) or X.509 (codified by the 
DER rules) and it respectively returns a new certificate X.509 or EDIFACT. But 
the X.509 and EDIFACT certificates have a lot of meaningful differences. 

— The X.509 certificate is syntactically different from the EDIFACT certificate. 
The first incompatibility between both certificates is related to the syntax 
used for its definition. In the X.509 environment the ASN.I Abstract Syntax 
is used, whereas in EDIFACT the certificates are specified following the 
EDIFACT syntax. Concerning the transfer syntax for the transmission, also 
it exists interoperability problems. In the X.509 environment is used the 
DER rules, on the other hand in EDIFACT the information is transmitted 
codified in printable characters. 

— Other aspect to take into account is the different Name Systems used. In the 
X.509 world, the basic mechanism of identification is the Distinguished Name 
(DN), which is associated with an entry in the DIT (Directory Information 
Tree) of the X.500 Distributed Directory. Furthermore the X.509 certificate 
supports a variety of types of names apart from the DNS, as the RFC822 
name, the URLs and even the EDI party names. On the other hand the EDI- 
FACT certificate supports both codes (i.e. identifiers assigned by authorities) 
and EDI party names. However the new version of the EDIFACT certificate 
incorporates mechanisms that allow to carry Distinguished Names in certain 
fields of this certificate. The DEDICA gateway accomplishes a names map- 
ping between the Distinguished Names and the EDI Names, according to 
some guidelines defined in ED IRA (ED IRA Memorandum of Understand- 
ing) Q. ED IRA proposes an identification mechanism compatible with the 
DN strategy in X.500. In this way the EDI users will can make use of the 
X.500 Distributed Directory, using the entity registration for EDI entities 
proposed by EDIRA. 

— The time information of the X.509 and EDIFACT certificates are also dif- 
ferent. Whereas the EDIFACT certificate contains elements to specify the 
generation time and the revocation date of the certificate, the X.509 certifi- 
cate does not maintain these data. 
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— Whereas the X.509 certificate version 3 uses the extension mechanism in 
order to include additional contents to the ones defined in version 1, the 
EDIFACT certificate does not apply any mechanism to expand its semantic. 
Below are listed some examples of these extensions. 

• Certificate Policies and Policy Mappings. The X.509 certificate has the 
ability of identify the policies that define the use of the certificate and the 
keys related to the certificate, and it allows to specify a list of relations 
of equivalence between certificate policies. 

• Certificate Path Constraints. X.509 allows the specification of constraints 
on certification paths. By means of a X.509 extension it is possible to 
identify whether the subject of the certificate is a CA and how deep a 
certification path may exist through that CA. 

• Name Constraints. It is possible to indicate a name space within which 
all subject names in subsequent certificates in a certification path must 
be located. 

• Alternative Names. It allows to specify alternative name formats for 
the subject and issuer of the certificate, as a X.500 Directory Name, a 
TCP/IP DNS name and IP address, RFC822 name, URLs and even EDI 
party names. 



Specifications of CertMap Mapping Rules This section is mainly devoted 
to show the mapping rules that the DEDICA gateway will follow to convert 
certificates of one type (X.509 or EDIFACT) in certificates of other type (ED- 
IFACT or X.509). Mapping rules must respect the semantics of data elements, 
fields and extensions, and must try to include as many information contained in 
the original certificate in the new certificate generated by the gateway. However, 
the high amount of extensions already defined in the X.509 version 3 implies 
that there will be situations when this will be impossible. There will be X.509 
extensions that will not be mapped into data elements of standard EDIFACT 
certificates. However these EDIFACT certificate related to these X.509 certifi- 
cates, can still be used in the EDIFACT world, because they will contain almost 
all the needed information that makes an initial EDIFACT certificate operative 
in these domains. As it has been said before, the UN/EDIFACT segments are 
made up by composite elements and simple data elements, and the composite 
elements by simple data elements. The notation that will be used in the follow- 
ing sections in order to specify an EDIFACT element is corresponded with a 
dotted notation, in which the element is named from the element more general 
to the element that is required to specify. In this way, if it is required to specify 
a simple data element that is included into a composite element of a segment, 
the notation will be the following: 

<Segment> . <CompositeElement> . <SimpleDataElement> 

This clause presents the global rules that the DEDICA gateway will apply to 
map the fields and extensions of X.509 certificate to data elements of EDIFACT 
certificate. Each field of the X.509 certificate that will be mapped in an element 
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of the new EDIFACT certificate will be listed and its mapping specified. The 
fields that will no be mapped in any element, will not be listed below. 

Serial Number 

This element uniquely identifies one certificate issued by the CA. The DED- 
ICA gateway numbers the certificates that it generates, and puts this generated 
serial number into the USC.0536 element. 

Signature (algorithm) 

This field specifies the hash algorithm used by the CA, and the algorithm to 
encipher this hash value. 

EDIFACT owns two data element to contain both the hash applied by the CA 
and the algorithm used to encrypt this hash value, whereas the X.509 certificate 
only has one field that contain both the hash and encipher algorithm used by 
the CA. The hash value will be indicated in the USA[CAHashing].S502.0527, 
and the cipher algorithm in the USA[CASigning].S502.0527. 

In DEDICA only two kinds of signatures are considered: 
shalwithRsasignature and mdSWithRsa. 

Validity 

There are four USC.S501 time elements inside the EDIFACT certificate each 
one of them related to both the validity before and the validity after fields, 
in which these X.509 fields will be mapped. In the EDIFACT certificate there 
are two additional USC.S501 time elements. One of them specifies the certifi- 
cate generation time, and its values will be generated by the DEDICA gateway, 
and the fourth one specifies the revocation time; and it will not appear in an 
EDIFACT derived certificate. 

Subject 

This field identifies the certificate owner, and it is mapped following the 
names mapping rules defined by DEDICA | in the USC.S500.0586 element 
related to the owner. 

S ub j ect P ublicKeylnfo 

This field is used to carry the owner public key and identify the algorithm 
with which the key is used. 

The EDIFACT certificate carries the public key in the USA[owner].S503 ele- 
ment. In the case of a RSA public key, this key is structured in three occurrences 
of this element: one of them is related to the key modulus, another one to the ex- 
ponent, and the third one to the length in bits of the modulus. The owner public 
key carried in the SubjectPublicKeyInfo is mapped in these three occurrences of 
the USA[owner].S503 element. 

The identification of the algorithm with which the key is used will be mapped 
in the USA[owner].S502.0527 element. Because in a first phase, only the rsa al- 
gorithm will be supported, the USA[owner].S502.0527 element of the EDIFACT 
certificate will specify the use of the RSA algorithm. 

KeyUsage Extension 

This field indicates the purpose for which the certified public key is used, 
and it is mapped in the USA[owner].S502.0523 element. If it specifies a digital 
signature use, then this EDIFACT element will contain a value indicating the 



The DEDICA Project 253 



certified public key is used by the issuer to sign. If it specify a key encipherment 
use, then the USA[owner].S502.0523 element will indicate that the public key is 
used by the owner to encipher. But if this extension specifies any other use, then 
this extension will not be mapped. 

SubjectAltName Extension 

This field contains one or more alternative names, using any of a variety of 
name forms, for the certificate subject. 

If the name format that is used is EDIPartyName, then it can be mapped in 
the use. S500. 0586 element related to the owner. 

AuthorityKeyIdentifier Extension 

This extension identifies the CAs key used to sign the certificate, and it is 
mapped in the USC.S500.0538 element, corresponding to the USC.S500 related 
to the issuer. 

SubjeetKeyIdentifier Extension 

This extension identifies the public key being certified, and it is mapped 
in the USC.S500.0538 element, corresponding to the USC.S500 related to the 
certificate owner. 

The following tables show the mapping between X.509 fields/extensions and 
EDIFACT data elements. The first column is the initial X.509 field/extension of 
the X.509 certificate; the mapping result is filled in the EDIFACT data element 
of the second column. 

Only the extensions that DEDICA can map are shown. 



Table 1. Mapping between X.509 fields and extension, and EDIFACT data 
elements. 



Field(X.509) 


Data Element (EDIFACT) 


version 


USC.0545 CERTIFICATE SYNTAX VERSION,CODED 


serialNumber 


USC.0536 CERTIFICATE REFERENCE 


tbsCertificate. signature 


USA(CA-E).S502.0527 Algorithm, coded 
USA(CA-H).S502.0527 Algorithm, coded 
USA(CA-E).S502.0525 Crypt, mode of operation, coded 
USA(CA-H).S502.0525 Crypt, mode of operation, coded 


issuer 


Not mapped 


validity 


USC.S501 SECURITY DATE AND TIME 


subject 


(see Names Mapping Strategy, Deliverable DST2 Q) 


subjectPublicKeyInfo 


USA(OW).S502.0527 Algorithm , coded 


issuerUniqueldentifier 


(field not mapped) 


subj ectU niqueldent ifier 


(field not mapped) 



Extension X.509 


Data Element (EDIFACT) 


KeyUsage 


USA(OW).S502.0523 (Use of algorithm coded) 


subj ect Alt Name. ediPartyN ame 


use. S500. 0586 (Security Party Name) 


authorityKey Identifier 


USC.S500.0538 (Key Name) 


SubjeetKeyIdentifier 


USC.S500.0538 (Key Name) 
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Internal Structure of the CertMap Module. In the internal design of the 
CertMap module, different kinds of modules have been identified: 

— The CM_Kernel module (CM_KE). This module coordinates the opera- 
tions performed by the rest of the modules in CertMap. It receives as input 
an original EDIFACT certificate (USC-USA(3)-USR) or a X.509 certificate 
DER encoded. If the derived certificate is successfully generated, CM_KE 
returns it to MangMap; in other case an error code is returned. 

Mapping Functions related to modules. A set of modules related to 
different functions needed during the mapping between the initial and the 
derived certificates has been identified. Below a short description of each one 
is given: 

• The CM_Names module (CM_NM) performs the mapping between 
the Edi Names and the X.509 Names (Distinguished Names). 

• The CM_Algorithm module (CM_AL) maps the identifiers of algo- 
rithms and cryptographic modes of operation. 

• The CM_Time module (CM_TM) maps the information related with 
dates and times of both certificates. 

• The CM_Filter module (CM_FF) applies the filter function specified, 
to the digital signature of a derived EDIFACT certificate, or to a public 
key. 

• The CM_Keys module (CM_PK) manage the mapping between keys 
and key names implied in the certificates. 

— The EDIFACT certificate coding/encoding module (CM_CE). This 
module will be able to extract all the information contained in an EDIFACT 
certificate. The EDIFACT certificate information is stored in form of inter- 
nal variables of an agreed structured data type to manipulate it during the 
mapping process. This module is also able to generate the characters stream 
corresponding to a derived EDIFACT certificate from an initial X.509 cer- 
tificate. 

— A set of APIs needed to allow the CM_KE to interact with external software 
tools. Two of these tools have been identified as necessary: an ASN.l tool 
and a cryptographic tool. The APIs needed are the following: 

• The CM_KE:ASN1 API. This API will provide with means for the 
CM_KE to extract the information from the DER coded X.509 initial 
certificate. This information is stored in form of variables of an agreed 
type to allow the modules of the CertMap to manipulate it. It will also 
provide means for the CM_KE to order to the ASN.l tool to get the 
DER stream corresponding to a derived X.509 certificate from an initial 
EDIFACT certificate. 

• The CM_KE:CRYPTOGRAPHIC API. This API will provide with 
means of the CM_KE to interact with cryptographic tools that will allow 
to sign the derived certificates. 

In DEDICA, a table that contains mapping information was defined: The 
Names Mapping Table. This table will establish links between initial and 
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derived certificates. These links are generated by CertMap module. In conse- 
quence, an explicit connection between CertMap and the Names Mapping Table 
must appear. 




Fig. 3. CertMap module structure. 



Sequence of Operations In this clause, a more detailed view of the sequence 
of operations that will take place inside the CertMap to generate a derived 
certificate from the initial one, is shown. 

Mapping from X.509 to EDIFACT. The figure below is a graphical represen- 
tation of these operations. It shows how the CM_KE module co-ordinates the 
actuation of internal modules and external tools to generate a derived EDIFACT 
certificate from an initial X.509 one. 

It can be seen how the different parts of the system take part in the generation 
of the derived certificate. It has to be pointed out that the effective mapping 
process is performed, as it has been said before by modules CMJMM, CM_AL, 
CM_TM, CM_PK and CM_FF. It has to be remarked that the filtering of the 
public key is part of the mapping of the public key in the certificate . 

The following table shows a high level description of the tasks that allow to 
generate an EDIFACT derived certificate from an initial X.509 certificate. 

Mapping from EDIFACT to X.509. The opposite sense is very similar to the pre- 
vious case. In this case the CM_CE module extracts information of the original 
X.509 certificate, and puts it into a variable of agreed data type. The mapping 
modules make their tasks and the names, time, algorithm and public key infor- 
mation is mapped into the new X.509. Then the DER code for the toheSigned 
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Fig. 4. Mapping process from X.509 to EDIFACT. 



part of the X.509 certificate is generated by the ASN.l tool, and the Crypto- 
graphic tool is used to sign the DER code of the tobeSigned part of the derived 
X.509 certificate. Since a new interrelationship between a X.509 and EDIFACT 
certificate is built, a new entry to the Names Mapping Table must be added. Now 
the ASN.l tool is again used in order to generate the DER code for the whole 
X.509 derived certificate. Finally the new derived X.509 certificate is returned 
to the MangMap. 



Table 2. Mapping between X.509 fields and extension, and EDIFACT data 
elements. 



1. Extract information of the initial X.509 certificate using the ASN.l 
tool through the CM_KE:ASN1 API and put such information into a 
variable of agreed data type . 

2. Map names, time, algorithm, and public key information. 

3. Code the USC-USA (3) according to EDIFACT syntax. 

4. Sign this character stream using the Cryptographic tool through the 
CM_KE : Cryptographic API . 

5. Code the USR segment and add it to the USC-USA (3) stream. 

6. Add new entry to the Names Mapping Table. 

7. Return derived EDIFACT certificate. 
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3.2 MangMap Module 

The DEDICA gateway has to convert certain of the KEYMAN message oper- 
ations into equivalent operations in the X.509 PKI (including X.500 access). 
This is accomplished by the MangMap module of the DEDICA gateway. The 
MangMap module is also the general management module of DEDICA. It re- 
ceives all the requests sent to the gateway and decides which information has to 
be recovered from external repositories, which type of translation is needed, and 
which results must be generated and sent to the requesting entity. 

Internal Structure of the MangMap Module. The most important blocks 
in the MangMap are the following: 

— MangMap Kernel (MK) module 

The MangMap Kernel module handles different types of requests 
from both KM and XH and co-ordinates the execution of all the 
steps needed to perform the request. 

KEYMAN Handling (KH) module 

This module can receive requests from an end user and from 
the kernel block. On reception of KEYMAN messages from an end 
user, it checks the protection applied to the KEYMAN, analyses it, 
interprets and converts the message into an internal request to the 
MangMap Kernel block. On reception of requests from the MangMap 
Kernel block, it builds KEYMAN messages, applies the required pro- 
tection and makes the KEYMAN available to the communication 
services. 

X.509 Public Key Infrastructure Messages Handling (XH) module 

On reception of relevant X.509 public key infrastructure messages 
from an end user, the XH module checks the protection applied to 
the message, analyses it and converts the message into an internal 
request to the MK. 

It can also access the X.500 Directory in order to obtain X.509 
certificates, revocation lists and certification paths. XH will be able 
to send requests to X.500 and to obtain and interpret answers from 
it. 

On reception of requests from MK, it builds relevant X.509 pub- 
lic key infrastructure messages, applies the required protection and 
makes the message available to the communication service. 

Figure 5 shows the building blocks of MangMap module and its relationships 
with the CertMap module. 

Information Flow Example: Derived EDIFACT Certificate Request. 

This section shows the information flow inside the building blocks of MangMap 
module, when an X.509 certificated user requests a derived EDIFACT certificate. 
A slightly different flow occurs when validation of this certificate is required. The 
following list shows a high level description of the task performed by the building 
blocks in the gateway. 
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Fig. 5. Derived EDIFACT certificate request. 



1. The requesting interchange arrives at the MangMap Kernel (MK) block in 
MangMap. This interchange will carry a KEYMAN message with a package 
containing the DER- coded X.509 certificate, or even the users DER-coded 
Distinguished Name. 

2. MK identifies the request and passes the interchange to the KEYMAN Han- 
dling (KH) block. 

3. KH analyses the KEYMAN message and sends the request information back 
to the MK in order to provide the derived certificate. 

4. MK instructs the X.509 PKI Messages Handling block (XH) to access the 
X.500 DIT entries to retrieve all the necessary information to verify the 
validity of the initial X.509 certificate (the original X.509 certificate and 
CRTs). 

5. XH retrieves the relevant Certificate Revocation List from the X.500 Direc- 
tory and checks whether the initial certificate has been revoked. 

6. XH retrieves the Certification Path from the X.500 Directory and verifies 
the signatures of the involved CAs. 

7. If the initial certificate has not been revoked and the Certification Path has 
been successfully verified, XH notifies MK that the corresponding derived 
EDIFACT certificate can be generated. 

8. MK then instructs the CertMap module to generate the EDIFACT certifi- 
cate. 

9. The CertMap generates the derived certificate and also creates a new entry 
in the Names Mapping Table associating both initial and derived certificates. 

10. The CertMap module passes the derived certificate to the MK module. 

11. MK passes the derived certificate to the KH module. 
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12. KH then builds the response and passes it to MK. This response will contain 
the KEYMAN message with the derived EDIFACT certificate. It can also 
contain a package with the initial X.509. 

13. MK passes the answer interchange to the communication system. 



X.500 Distributed Directory Access. As mentioned before, the DEDICA 
gateway needs to access the X.500 Distributed Directory in order to retrieve 
X.509 certificates and CRTs. This is accomplished mainly by the X.509 Public 
Key Infrastructure Messages Handler (XH module). 

The management of the directory objects and the search methods that are 
used, are based on the standard defined in the X.500 recommendation of the 
ITU-T. 

X.500 defines the Directory Access Protocol (DAP) for clients to use when 
contacting Directory servers. DAP is a heavyweight protocol that runs on a full 
OSI stack and requires a significant volume of computing resources to run. 

Given the complexity of DAP, the X.509 Public Key Infrastructure Messages 
Handler uses a LDAP (Lightweight Directory Access Protocol) Q interface to 
access the X.500 Directory. LDAP runs directly on TCP and provides most of 
the functionality of DAP at a much lower cost. 

LDAP offers all the needed functionality to interact with the X.500 Directory. 
The conversion of requests from LDAP to DAP is achieved by an LDAP server, 
which operates as a DUA (Directory User Agent) of the Directory. 



4 Systems where DEDICA is being Integrated 

The DEDICA consortium has developed both the gateway and client software 
that is being integrated within the existing EDI applications. Within the project 
several pilots schemes have been launched in the following fields: Customs, EDI 
software providers, electronic payment in banking and public administration 
application forms for Electronic Commerce. 

DEDICA is also being integrated as part of the TEDIC system. The TEDIC 
system has been developed by ALCATEL/URACOM, and it offers a legal so- 
lution for the establishment of a specific “interchange agreement” between the 
involved parties for EDI Trade transactions, without any prior contact. The TE- 
DIC system offers a set of security services for the different kinds of messages 
based on a range of security levels. It sets up a hierarchy based on a system of 
security policies, and allows dynamic and automatic negotiation of the transac- 
tion policy level. The integration of the DEDICA gateway in the TEDIC system 
implies that the TEDIC users can not only use the EDIFACT certification, but 
they can also use X.509 certificates. In this way all the users registered in an 
X.509 PKI can become TEDIC users, and they do not also need to register in an 
EDIFACT CA. DEDICA will generate X.509 certificates for the TEDIC users 
that wish to communicate with X.509 users. 
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A project is being developed by AECOC (the EAN Spanish representative^ 
and UPC (Technical University of Catalonia), whose main objective is to specify 
and develop tools that permit to secure EANCOM interchange^ and exchange 
them using Internet. The security services applied follow the standards devel- 
oped by the UN/EDIFACT “Security Joint Working Group” (SJWG). In this 
scenario, DEDICA is being integrated into an X.509 Certification Authority de- 
veloped by esCERT-UPCj The esCERT-UPC organization provides help and 
advice on computer security and incident handling, and it is sponsored by UPC 
(Technical University of Catalonia), CICYT (Interministerial Science and Tech- 
nology Commission), the Generalitat of Catalonia and the European Union. The 
integration of the DEDICA gateway and the esCERT-UPC X.509 Certification 
Authority, makes it possible for X.509 CA to manage security objects of the EDI 
infrastructure. 

The DEDICA gateway extends the range of users and the infrastructures with 
which the AECOC-UPC system can interact. The system is more heterogeneous, 
not only capable of acting in a closed EDI world, but also able to manage the 
security objects of other infrastructures, suche as the X.509 certificates of an 
X.509 PKI. 

5 Future Work 

Part of the DEDICA project consortium is still working in order to extend the 
gateways functionality, especially in the domain of validation and revocation 
management. 

In EDIFACT, a Certificate Revocation List is a KEYMAN message, digi- 
tally signed by the CA, containing the identifiers of certificates that have been 
revoked by the issuing CA. A receiver of a signed EDIFACT message with a 
certificate can retrieve the CRL from a publicly accessible repository to deter- 
mine whether that certificate is on the list of revoked certificates. Alternatively, 
a security domain could delegate the facility for validating individual certificates 
to a trusted authoritative entity. In this context, users wanting to validate a 
received certificate would request validation by sending a KEYMAN message to 
this trusted entity. 

At present, revocation management is solved indirectly: the user can request 
the validation of a derived EDIFACT certificate from the gateway; the gateway 
then recovers the original X.509 certificate related to the derived certificate, 
and it searches for this certificate in appropriate CRTs published in the X.500 
Directory. 

^ AECOC: Since 1977 AECOC has been the representative of EAN International in 
Spain. AECOC is responsible for the management and promotion of the bar-codes of 
products and services, and Electronic Data Interchange (EDI), http:/ /www. aecoc.es 
® EANCOM is responsible for the management of profiles of EDIFACT messages stan- 
dardized by EAN. 

^ esCERT-UPC: Spanish Computer Emergency Response Team, http://escert.upc.es 
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The DEDICA gateways revocation management could then go through the 
EDIFACT Revocation Lists of derived certificates generated by the gateway. 
The DEDICA gateway could periodically check the status of the initial X.509 
certificates. When an X.509 original certificate was revoked, the derived certifi- 
cate related to it would also have to be considered as revoked. The gateway 
would generate the KEYMAN message with the corresponding revocation list of 
EDIFACT derived certificates, and it would publish it in the X.500 Distributed 
Directory. 

When the DEDICA gateway received a validation request for an EDIFACT 
derived certificate, it would look at this EDIFACT CRL in the X.500. If this 
certificate was not on this list, it would follow the normal process previously 
outlined. 



6 Conclusions 

Interoperability between the X.509 and EDIFACT PKIs can be greatly enhanced 
by facilities such as the DEDICA gateway, which acts as a TTP capable of offer- 
ing a basic set of certificates management services to user of both infrastructures. 

The DEDICA project has developed a gateway to translate security objects 
between X.509 and EDIFACT. This solution also provides interoperability be- 
tween EDIFACT and all the other tools used in electronic commerce, since all 
of them authenticate the entities using X.509 certificates. 

The DEDICA gateway is presently being integrated into several pilots schemes 
and projects in the field of electronic certification, such as the TEDIC system, 
the AECOC-UPC EDI on Internet project, or in the esCERT X.509 Certification 
Authority 

The DEDICA gateway should be of interest to both large-scale enterprise 
and SMEs, however it is especially useful for SMEs. This is because it allows for 
security in the interchange of messages, without the need to pay registration fees 
for several different infrastructures. This is the reason why the DEDICA project 
was selected as one of the G8 pilot projects to promote the use of Information 
Technology in SMEs. The sharing of the certification infrastructure between the 
e-mail or distributed applications users and the EDI users will quickly satisfy the 
EDI users requirements for global service provision. The integration of public key 
certificates from X.509 and EDI will provide means to share common informa- 
tion and infrastructure over the most widely used telematics application: email, 
and the most economical: EDI. The main advantage for the user will be the pos- 
sibility of sharing the authentication mechanism (digital signature, tools, etc.) 
between the various applications, thus avoiding the burden of having to register 
for different services to satisfy one single user requirement. 

Moreover, the service has been quickly deployed and made available, thanks 
to the fact that no additional registration infrastructure is needed, due to its 
compatibility with the EDIFACT and X.509 infrastructures. This service will 
promote the use of Internet by EDI applications (since it will allow them to 
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secure the interchanges which have been identified) in contrast to the major 
barriers to the deployment of EDI over Internet which existed in the past. 

Another functional advantage of the DEDICA gateway is the independence 
of the communication protocols used by the applications, and their transparency 
for both the PKI users. In this way, an EDI/X.509 user should not know that 
the certificate that he is managing is a certificate automatically generated by 
the DEDICA gateway, and deriving from an X. 509/ED IFACT certificate. 

As part of the the several pilots schemes have been launched to demonstrate 
the system in the following fields: customs, electronic chambers of commerce, 
tourism, electronic products manufacturers, EDI software providers and elec- 
tronic payment in banking and public administration. 
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Abstract. All-or-nothing property is a new encryption mode proposed 
by Rivest and has the property that one must decrypt the entire cipher- 
text to determine any plaintext block. In this paper, we propose a hash 
function with all-or-nothing property. The proposed scheme can use the 
existing hash functions without changing their structures, and it is se- 
cure against all of known attacks. Moreover, the proposed method can be 
easily extended to the MAC (Message Authentication Code) and provide 
message confidentiality as well as authentication. 



1 Introduction 

Hash functions are functions that map bitstrings of arbitrary finite length into 
strings of fixed length. They play an important role in modern cryptography as a 
tool for providing integrity and authentication. The basic idea of hash functions 
is that a hash value serves as a compressed representative image of an input string 
and can be used for uniquely identifying that string. Hash functions are classified 
into two classes^ ■ unkeyed hash function with single parameter - a message, and 
keyed hash function with two distinct inputs - a message and secret key. Keyed 
hash functions are used to construct the MAC (Message Authentication Code). 
The MAC is widely used to provide data integrity and data origin authentication. 

Rivest proposed the new encryption mode, referred to the ’’all-or-nothing 
encryption mode”[J. This mode has the property that one must decrypt the 
entire ciphertext before one can determine even one message block. One of the 
design principles of a hash function is to make hash value dependent on the entire 
input message and to make finding collision hard. For existing hash functions, it 
may find a collision by modifying any blocks of the input message. In this paper, 
we propose a secure hash function with all-or-nothing property which is a new 
encryption mode proposed by Rivest. The proposed scheme uses the existing 
hash functions without changing the hash algorithm, and makes them secure 

H. Imai and Y. Zheng (Eds.): PKC’99, LNCS 1560, pp. 263-^^^ 1999. 
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against known attacks. Also the proposed scheme can be easily extended to the 
MAC, which can provide a message confidentiality as well as authentication. 

The remainder of this paper is organized as follows. In section 2, we sum- 
marize the hash function and in section 3, all-or-nothing property is described. 
In section 4, we propose and analyze a new construction scheme of the hash 
function using all-or-nothing property. Finally, we have conclusions in section 5. 



2 Hash Functions 

Hash functions(more exactly cryptographic hash functions) are functions that 
map bitstrings of arbitrary finite length into strings of fixed length. This output 
is commonly called a hash value, a message digest, or a fingerprint. Given h and 
an input x, computing h(x) must be easy. A one-way hash function must satisfy 

the following properties^) 

- preimage resistance : it is computationally infeasible to find any input which 
hashes to any pre-specified output. That is, given a y in the image of h, it 
is computationally infeasible to find an input x such that h(x) = y. 

- second preimage resistance : it is computationally infeasible to find any sec- 
ond input which has the same output as any specified input. That is, given 
a a; in the image of h{x), it is computationally infeasible to find an input 
x' ^ X such that h[x') = y. 

A cryptographically useful hash function must satisfy the following additional 

property^ : 

- collision resistance : it is computationally infeasible to find a collision. That 
is, it is computationally infeasible to find a pair of two distinct inputs x and 
x' such that h{x) = h{x'). 

Almost all hash functions are iterative processes which hash inputs of arbi- 
trary length by processing successive fixed-size blocks of input. The input X is 
padded to a multiple of block length and subsequently divided into t blocks Xi 
through Xt- The hash function h can then be described as follows: 

Ho = IV, H, = f(H,_i,X,), l<i<t, h{X) = Ht 

Where / is the compression function of h, Hi is the chaining variable between 
stage i — 1 and stage i, and IV is the initial value. 

The block diagram of the iterative hash function using the compression function 
is shown in the Fig.H 

The computation of the hash value is dependent on the chaining variable. 
At the start of hashing, this chaining variable has a fixed initial value which 
is specified as part of the algorithm. The compression function is then used to 
update the value of this chaining variable in a suitably complex way under the 
action and influence of part of the message being hashed. This process continues 
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Fig. 1. The use of a compression function in an iterative hash function 



recursively, with the chaining variable being updated under the action of different 
part of the message, until all the message has been used. The final value of the 
chaining variable is then output as the hash value corresponding to that message. 

Based on the construction of the internal compression function, hash func- 
tions can be classified as followingsj; 

- hash functions based on block ciphers 

- hash functions based on modular arithmetic 

- dedicated hash functions 

Dedicated hash functions have fast processing speed and are independent of 
other system subcomponents such as block cipher and modular multiplication 
subcomponent. Most of existing dedicated hash functions have the structure 
similar to that of MD4| which is designed by R. Rivest in 1990. The typical 
examples of the dedicated hash functions are the MD family hash functions such 
as MD50> RIPEMD-160H, SHA-lR HAVALH, and SMB^. 

According to the theory of MerkleJ and DamgardH, MD- strengthening de- 
notes appending an additional block at the end of the input string containing 
its length. It is possible to relate the security of hash function h to the security 
of compression function / and output function g according to the following the- 
orem. 

Theorem 1. Let h be an iterative hash function with MD-strengthening. 

Then finding preimage and second preimage on h have the same complexity as 
the corresponding attacks on the compression function / and the output func- 
tion g. 

An n-bit hash function has ideal security satisfies the following; 

(a) Given a hash value, finding a preimage and second preimage require about 
2” operations. 

(b) Finding collision pairs require about 2"/^ operations. 

Given a specific hash function, it is desirable to be able to prove a lower 
bound on the complexity of attacking it. But such results are rarely known. 
Typically, the security of a hash function is the complexity of the applicable 
known attack. 
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3 All-or-Nothing Property 

In 1997, Rivest proposed an all-or-nothing encryption, a new encryption mode 
for block ciphersJJ. This mode has the property that one must decrypt the 
entire ciphertext before one can determine even one message block. This means 
that brute-force searches against all-or-nothing encryption are slowed down by 
a factor equal to the number of blocks in the ciphertext . 

The problem with most popular encryption modes is that the adversary can 
obtain one block of plaintext by decrypting just one block of ciphertext. This 
makes the adversary’s key-search problem relatively easy, since decrypting a 
single ciphertext block is enough to test a candidate key. 

Let us say that an encryption mode for a block cipher is separable if it has 
the property that an adversary can determine one block of plaintext by decrypt- 
ing just one block of ciphertext. Rivest defined strongly non-separahle mode as 
follows 

Definition 1. Suppose that a block cipher encryption mode transforms a 
sequence mi , m 2 , • ■ • , rUs of s message blocks into a sequence ci , C 2 , . . . , Ct of t 
ciphertext blocks for some t,t > s. We say that the encryption mode is strongly 
non-separahle if it is infeasible to determine even one message block m^ (or any 
property of a particular message block m^) without decrypting all t ciphertext 
blocks. 

Rivest proposed the strongly non-separable modes as follows^]: 

- Transform the message sequence mi, m 2 ,..., ms into a ’’pseudo-message” 
sequence m(, m^, . . . , m(, (for some s' > s) with an ’’all-or-nothing trans- 
form” . 

- Encrypt the pseudo-message with an ordinary encryption mode with the 
given cryptographic key K to obtain the ciphertext sequence ci, C 2 , . . . , Ct . 

We call encryption mode of this type ’’all-or-nothing encryption modes.” To 
make this work, the all-or-nothing transform has to have certain properties as 
the followingH: 

Definition 2. A transform T mapping a message sequence mi, m 2 ,..., mg 
into a pseudo-message sequence m(, m^, . . . , m(, is said to be an all-or-nothing 
transform if 

(1) The transform T is reversible: given the pseudo-message sequence, one can 
obtain the original message sequence. 

(2) Both the transform T and its inverse are efficiently computable. 

(3) It is computationally infeasible to compute any function of any message 
block if any one of the pseudo-message block is unknown. 

An all-or-nothing encryption mode is strongly non-separable. The all-or-nothing 
transform is not itself encryption, since it makes no use of any secret key informa- 
tion. The actual encryption is the operation that encrypts the pseudo-message. 
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An all-or-nothing transform is a fixed public transform that anyone can perform 
on the message to obtain the pseudo-message, or invert given the pseudo-message 
to obtain the original message. 

Rivest proposed the all-or-nothing transform which is referred to ’’package 
transform” , as follows^^: 

(1) Let the input message be mi, m 2 , . . . , mg. 

(2) Choose at random a key K for the package transform block cipher. 

(3) Compute the output sequence m'l, m^, . . . , m'^, for s' = s -I- 1 as follows: 

• m' = mi 0 E{K, i) for i= 1, 2, 3, . . . , s. 

• Let 

m'g, = AT 0 ft-i 0 . . . 0 /is, 

where 

hi = E{Kq, m'i 0 i) for i = 1, 2, . . . , s, 

where Kq is a fixed, publically-known encryption key. 

The block cipher for the package transform does not use a secret key, and needs 
not be the same as the block cipher for encrypting the pseudo-message. We 
assume that the key space for the package transform block cipher is sufficiently 
large that brute- force searching for a key is infeasible. It is easy to see that the 
package transform is invertible: 

K = m'g, 0 /ii 0 ... 0 /is, 

mi = m'i® E{K, i) for i = 1,2, . . s. 

If any block of pseudo-message sequence is unknown, the K can not be computed, 
and so it is infeasible to compute any message block. 

An all-or-nothing transform is merely a pre-processing step, and so it can 
be used with already-existing encryption software and device, without changing 
the encryption algorithm. The legitimate communicants pay a penalty of ap- 
proximately a factor of three in the time it takes them to encrypt or decrypt in 
all-or-nothing mode, compared to an ordinary separable encryption mode. How- 
ever, an adversary attempting a brute-force attack pays a penalty of a factor of 
t, where t is the number of blocks in the ciphertext. 

In the following section, we propose a construction scheme of hash function 
with all-or-nothing property. Our aim of a new design of the hash function is 
to obtain a fixed hash value dependent on the entire message, and to identify 
uniquely the message. Thus all-or-nothing property dependent on the entire 
message is suitable for constructing a hash function. In next section, we propose 
the construction scheme of the hash function with all-or-nothing property. 

4 A Hash Function with All-or-Nothing Property 

In this section, we propose the construction scheme of the hash function with 
all-or-nothing property. First, we propose three construction methods of all-or- 
nothing hash function and then analyze their security. Also, we apply them to 
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the MAC, which can provide the message confidentiality as well as message 
authentication. We use the following notations on all of the paper: 

- n : a length of an output and a chaining variable of a hash function 

- fc : a block size of a hash function 

- A : an input message 

- A' : a pseudo-message resulting from the all-or-nothing transform 

- K : a, randomly chosen fc-bit key 

- Kp : a fixed and publically-known fc-bit key 

- h() : an arbitrary hash function 

- hx{y) '■ hash an input y with an initial value x 

- IV : initial value of a hash function 

- 0 : bitwise XOR 

- II : concatenation 

- Z : make n-bit Z to fc-bit by iterating it 



4.1 All-or-Nothing Hash Function 1 (AON Hashing-1) 

The simple all-or-nothing hash function works as follows: 

A. Sender 

(1) Partitioning the input message A into t fc-bit block, Ai, A 2 , . . . , Aj 

(2) Generating a random key fc-bit K 

(3) Compute the pseudo-message and the message digest as follows: 

H^=IV, A(+i = K 

for i = 1 to t { 

A' = Ai0/(A,il,_i,i) 

A(+i = A(+i0 5(Ap,A',z) 

} 

Ht+i = 

(4) send {X'\\Ht+i). 

B. Receiver 

(1) Receive (A'||MD). 

(2) Partitioning the pseudo-message A' into t+1 fc-bit block, A(, A 2 , . . . , A(_|_^ 

(3) Recover the random key K 

K = A(+i 0 g{Kp, A(, 1) 0 ... 0 g{Kp, X', t) 

(4) Recover the original message and check the message digest Hq = IV 
for z = 1 to t { 

H, = hH,_Ax'A 

Ai = A'0/(A,fcf,_i,i) 

} 

Ht+i = huAXi+r) 
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(5) If Ht+i is not equal to MD, reject the received message. 

Here /(), g{) must be selected to satisfy the properties of the all-or-nothing 
transform described in section 3. Rivest proposed the construction scheme based 
on block cipher. This pays a penalty of approximately a factor of three in the time 
it takes them to encrypt or decrypt in all-or-nothing mode for legitimate com- 
municants, compared to an ordinary separable encryption mode. For the efficient 
computation, We apply the round function of the block cipher. As a concrete ex- 
ample, we use SHA-1 hash function and the modified round function of RC6^J 
which is submitted to AES. The simulation result shows that the performance of 
AON hashing-1 using the modified round function of RC6 is 12.17Mbytes/sec, 
while that of applying the entire block cipher is 3.66 Mbytes/sec. 

As an another all-or-nothing transform, it is possible to apply the bijective 
function. First, choose the bijective function / mapping the entire input mes- 
sage to pseudo-message, and compute the pseudo-message M' = f{M). Then 
encrypt the pseudo-message M' using the block cipher. The receiver can obtain 
the original message M by applying to M = after decrypting the ci- 

phertext. Here, /“^() is the inverse of /(). The selected bijective function must 
satisfy that computing inverse of the bijective function is infeasible if any block of 
the pseudo-message is unknown. Even though there are some bijective functions 
satisfying above property, the careful considerations will be needed for practical 
purposes. 

4.2 All-or-Nothing Hash Function 2 (AON Hashing-2) 

This scheme uses the hash function as an all-or-nothing transform instead of the 
block cipher. 

A. Sender 

(1) Partitioning the input message X into t n-bit block, Xi, X 2 , ■ ■ ■ , Xt- 

(2) Generating a random key fc-bit K. 

(3) Compute the pseudo-message X' by an all-or-nothing transform. 

X'o = IV, A' = W0/ix'_^(A©i), i = l,2,...,t 

(4) Compute the last pseudo-message block, (fc-bit length). 

= A © {hx'^{Kp®l)® 

(5) Send {X'\\hiv{X')). 

B. Receiver 

(1) Receive {X'\\MD) and check if MD = hiv{X'). 

(2) Partitioning the pseudo-message X' into t n-bit block, A(, A 2 , . . . , and 
fc-bit 

(3) Recover the random key K. 

K = © {hx'^{Kp®l)® ...®hx’{Kp®t)} 
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(4) Recover the original message. 

X'o = IV, X, = X'(Bhx'^_^{K(Bi),i=l,2,...,t 

AON hashing-2 uses the hash function as the all-or-nothing transform. This 
scheme has also all properties of AON hashing- 1. An adversary may try to attack 
after recovering the original message. The manipulation of the pseudo-message 
is not useful attack. If an attacker do not know any block of the pseudo-message, 
he can not recover the random key K correctly. So he can not obtain the original 
message. For an effective attack, he has to find a collision of the pseudo-message 
with the same hash value in advance, and then searches the message and random 
key mapped to this pseudo-message. Moreover, the fact that the i — 1th pseudo- 
message block is used to compute the zth pseudo-message block do increase 
the security. AON hashing-2 pays a penalty of approximately a factor of three 
compared to the original hash function. The simulation result shows that the 
performance of AON hashing-2 is 10.05 Mbytes/sec, which corresponds to about 
1/3 of the performance of SHA-1. 

4.3 All-or-Nothing Hash Function 3 (AON Hashing-3) 

AON hashing- 3 is an improved version of AON hashing- 2. Here we assume Kp 
is a publically-known n-bit constant. 

A. Sender 

(1) Partitioning the input message X into t n-bit block, Xi, X 2 , ■ ■ ■ , Xt- 

(2) Generating a random key fc-bit K. 

(3) Compute the pseudo-message X' by an all-or-nothing transform. 

A'=/y,Ao = 0, X' = Xi ® ® (x~^)) , i = l,2,...,t 

(4) Compute the last pseudo-message block, (fc-bit length). 

MD = hK,{X[\\... \\X[\\hiv{Kp)) , = A 0 {MD} 

(5) Send (A'||/zmd(A;+i)). 

B. Receiver 

(1) Receive {X'\\MD). 

(2) Partitioning the pseudo-message X' into t n-bit block, X[, X 2 , . . . , X^_^_^ and 
fc-bit 

(3) Recover the random key K. 

MD' = hK,{X',\\ . . .\\X',\\hiv{Kp)) , K = 0 (MW} 

(4) Check if MD = hMD'{X'^_^_l). 

(5) Recover the original message. 



X'o = IV, Ao = 0, A, = A'0/zx0^(A0(A,_i||i)), i=l,2,...,t 
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This scheme is an improved version of AON hashing-2. All-or-nothing trans- 
form depends on the underlying hash function, and has all properties of AON 
hashing-2. It is more difficult to find the collision of pseudo-messages since all in- 
termediate chaining variables are used in computing of the last pseudo-message 
block, Also, we increase the security by using the hash value of the origi- 

nal message for computing of the pseudo-message. While AON hashing-2 pays a 
penalty of a factor of three, AON hashing-3 improves the efficiency by applying 
the hash function twice. The simulation result shows that the performance of 
15.07 Mbytes/sec. Compared to AON hashing-2, the performance is improved 
about 50%. 

4.4 Analysis of the Security 

To find collisions, the existing known attacks like those of MD4, MD5 and 
RIPEMD, can not be directly applicable to AON hashing. For the proposed 
scheme, we may guess that the best known attack for finding a collision is the 
birthday attack and it requires 2 s' operations to find a collision pair for an n-bit 
hash function. It also requires same operations in AON hashing. If n is 160 bits, 
it can provide a sufficient security against the birthday attack. 

Most of existing known attack for hash functions depends on manipulating 
of the message blocks. Since AON hashing transfers the pseudo-message instead 
of the original message, an adversary must intercept the pseudo-message and re- 
cover the original message. The manipulation of pseudo-message is not effective 
for the correct recovery of original message by the receiver because the random 
key K cannot be recovered exactly. Under this condition, if an attacker recover 
the original message and modify it (so the resulting of pseudo- message is altered), 
then the message digest would be different from the original one. Thus an ad- 
versary has to find the different pseudo-message with the same hash value in 
advance, and then compute the input message corresponding to the discovered 
pseudo-message. That is, an attacker has to search a collision of pseudo-message 
and find the random key K mapped the input message to the pseudo-message. 
This requires the search of random key K, as well as finding a collision pair. 
For finding preimage or second preimage, one must find a collision of pseudo- 
message with the same hash value in advance, which requires 2^ operations for 
AON hashing- 1, and then find an original message mapped to this collision of 
pseudo-message. If a function / behaves randomly, it requires 2^ * operations. 
For AON hashing-2, finding a collision of pseudo-message requires 2^ opera- 
tions, and finding a original message mapped to this collision of pseudo-message 
requires 2^ * operations. Similarly, for AON hashing-3, it requires total 2'2'+” * 
operations. 

For finding a collision message of a hash function, one may try to find a 
message having the same message digest independent on intermediate chaining 
variables. AON hashing- 1 is secure against this attacks, because all intermediate 
chaining variables are used to generate the pseudo-message. AON hashing-2 uses 
the i — 1th pseudo-message block to generate the zth pseudo-message block, and 
AON hashing-3 also uses the i — 1th pseudo-message block and i — 1th original 
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message block to compute the ith pseudo-message block. Thus, AON hashing is 
secure against attacks by the manipulation of the message block. 

By the above analysis, the proposed AON hashing maybe supposed to have 
the ideal security, which is secure against the existing known attacks. 

4.5 An Application of AON Hashing 

AON hashing can be easily applied to the MAC (Message Authentication Code). 
By using AON hashing, it is possible to provide both the authentication and 
confidentiality for message. In this case, both communication parties have to 
securely keep publically-known random constant Kp. This MAC construction 
may be considered as the variant of HMAC proposed by Bellare, et al|. 

HM ACk{x) = h{k 0 opad, h{k 0 ipad, x)) 

The proposed MAC generates the pseudo-message by hashing (/i) the message x, 
and then applies the pseudo-message to h once again. That is, the generation of 
pseudo-message from original message is considered as the inner hashing process 
of HMAC. Thus AON-MAC has the same security as that of HMAC. 

Moreover, the proposed MAC can provide the message confidentiality as 
well as authentication. An attacker who does not know Kp may try to find 
the random key K for recovering the entire original message. For finding the 
random key K, AON hashing-1 requires the cryptanalysis of g{) and AON 
hashing-2 requires the finding Kp having the same values as hx> {Kp 0 i) . For 
AON hashing-3, one must find the Kp which generates the same values as 
MD' = hKp{X[\\ . . .\\X{\\hiv{Kp)). It corresponds to the envelope method 
which is one of the MAC construction using the hash function. The known best 
attack for this scheme is the divide-and- conquer attack proposed by Preneel 
and van Oorschot^. If we use SHA-1 or RIPEMD-160 which is considered as 
a secure hash function, this attack is computationally infeasible. An adversary 
who tries to decrypt the only one block must cryptanalyze the /() for AON 
hashing-1. If the used random key K is 512-bit length, it is infeasible. For AON 
hashing-2 and AON hashing-3, it requires 2" operations for decrypting the only 
one block. If n is more than or equal to 160-bit length, it is infeasible. 

We can improve the security by adding some overheads to above schemes. We 
can encrypt the last pseudo-message block and message digest pair (X^_^_i,MD) 
using the block cipher with the secret key Kg, and send it to the recipient. If 
is 512-bit length and MD is 160-bit length, the length of the encrypting 
block is total 672 bits. It rarely affects the performance. However an attacker 
must find the Kg and Kp for decrypting the entire message. 

The confidentiality of the proposed MAC does not have the property that one 
must decrypt the entire ciphertext before one can determine even one message 
block. But it can provide both the authentication and confidentiality by only the 
hash functions. AON hashing-2 and AON hash-3 are constructed by only using 
the hash functions. They are more efficient than the all-or-nothing transform 
using the block cipher, and they can avoid the patent and the export restriction. 
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The proposed schemes pay a penalty of approximately a factor of two compared 
to an ordinary hash function, but they can be performed efficiently in parallel. 

5 Conclusions 

In this paper, we proposed hash functions using the all-or-nothing transform. 
The all-or-nothing transform which was proposed by Rivest has the property 
that one must decrypt the entire ciphertext before one can determine even one 
message block. Since hash functions must provide the hash value dependent 
on the entire input message, all-or-nothing property is suitable for the hash 
function. The proposed schemes use the existing hash functions without changing 
their structures, and make existing hash functions secure against known attacks. 
Moreover, the proposed schemes can be easily applied to construct the MAC, 
which can provide both the authentication and the confidentiality. 

As further researches, we will study about the more efficient all-or-nothing 
transforms. As discussed in section 4, the careful considerations are needed to 
devise efficient bijective functions and more efficient /(), g() functions. 
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Appendix: A simple example of /, g function used in AON 
hashing- 1 

Here we shows simple example of /, g function used in AON hashing-1. We use 
the round function of RC6 which is a block cipher submitted to AES candidates. 
The used function /(), g{) is as follows: 

(1) /() function : f{K, Hi, i) 

Let K, Kp, Xi and X[ be 512-bit length which is the length of the input block of 
the hash function, i denotes the number of the message block, and is the 64-bit 
length. 

Step 1. Expand 8-byte i into 64- byte W as the Fig.H 



H ,_1 (leobits) 




"I 



First 32 bits of T 



Fig. 2. 



Here / function is f{x) = x x (2x + 1), and PHT (Pseudo-Hadamard Trans- 
form) is PHT{a, b) = (2a + b,a+b) which is used in SAFER K-64 block cipher. 

(2) g{) function : g(Kp,X(,i) 

Step 1. XOR i to begin and end of X(. 

Step 2. This step is equal to Step 2 of /() function. 
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Step 2. Process W by 256 bits as the Fig.HvU[i] and K[i] is 32-bit length): 




Fig. 3. 
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Abstract. One of the key directions in complexity theory which has 
also filtered through to cryptographic research, is the effort to classify 
related but seemingly distinct notions. Separation or reduction argu- 
ments are the basic means for this classification. 

Gontinuing this direction we identify a class of problems, called “match- 
ing problems,” which are related to the class of “decision problems.” In 
many cases, these classes are neither trivially equivalent nor distinct. 
Briefly, a “decision” problem consists of one instance and a supposedly 
related image of this instance; the problem is to decide whether the in- 
stance and the image indeed satisfy the given predicate. In a “matching” 
problem two such pairs of instances-images are given, and the problem is 
to “match” or “distinguish” which image corresponds to which instance. 
Glearly the decision problem is more difficult, since given a “decision” 
oracle one can simply test each of the two images to be matched against 
an instance and solve the matching problem. Here we show that the op- 
posite direction also holds, presuming that randomization of the input is 
possible, and that the matching oracle is successful in all but a negligible 
part of its input set. 

We first apply our techniques to show equivalence between the match- 
ing Diffie-Hellman and the decision Diffie-Hellman problems which were 
both applied recently quite extensively. This is a constructive step to- 
wards examining the strength of the Diffie-Hellman related problems. 
Then we show that in cryptosystems which can be uniformly random- 
ized, non-semantic security implies that there is an oracle that decides 
whether a given plaintext corresponds to a given ciphertext. In the pro- 
cess we provide a new characteristic of encryption functions, which we 
call “universal malleability.” 

Keywords. Diffie-Hellman variants, randomized reductions, uniform re- 
ductions, public-key encryption, homomorphic encryption functions (El- 
Gamal, Goldwasser-Micali, Okamoto-Uchiyama, Naccache-Stern), ran- 
dom self-reducibility, decision problems, matching problems, universal 
malleability. 
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1 Introduction 



Recently we have seen a number of constructions that are based on the diffi- 
culty of the decision Difhe-Hellman problem, ranging from ElGamal-based en- 

functions^^^^^^^^^^^^^^^^^ of this problem, called “matching Difhe- 



Hellman” have also appeared 



mainly in electronic cash 



systems. Our first goal in this paper is to investigate the relationships between 
these variations and the original problem. To this extent we conclude that the 
problems are equivalent; this can be seen either as a strengthening of the match- 
ing Difhe-Hellman assumptions, or as a weakening of the decision Difhe-Hellman 
assumption. 



Since our reduction techniques for deriving this equivalence are general, they 
can be applied to other settings in order to transform matching oracles to deci- 
sion oracles. One such setting is the setting of secure encryption, i.e., the con- 
cept of indistinguishability of encryptions. In this context we show, under a 
specihc assumption about the encryption scheme, that distinguishability of en- 
cryptions allows us to decide whether a given plaintext corresponds to a given 
ciphertext. Loosely speaking, this direction enhances the relationship between 
indistinguishability and semantic security in the sense that it provides, even if 
only for a limited set of cryptosystems, a specihc kind of information that can 
be retrieved about a ciphertext, if the encryption is not secure in the sense of 
indistinguishability. 



In the course of dehning the properties that we require from a cryptosystem 
that allows this “attack,” we propose a new dehnition, that of universally mal- 
leable cryptosystems. Intuitively, these are encryption schemes in which, without 
knowledge of the secret key, one can randomize, independently, both the mes- 
sage and the ciphertext. Typically this property is derived from the random 
self-reducibility of some underlying problem. Examples of such systems are the 
ElGamal cryptos ystem the Okamoto-Uchiyama factoring-base d cryp- 

tosystem the Naccache-Stern higher-order residue cryptosystem | 

and the Goldwasser-Micali quadratic-residue cryptosystem 



Finally, one can use our methodology to show equivalences between general 
decision and matching problems. However, the equivalence can be shown only 
when the “matching oracle” can operate on all but a negligible part of the 
problem set and when inputs to the oracle can be randomized; this is why the 
universal malleability is required for the case of encryption systems. 
Organization: In sectionjwe define the matching and decision Difhe-Hellman 
problems. We proceed to collapse the decision problem to the matching, i.e., 
prove equivalence, in section^ In section^we apply our result to cryptosystems, 
and in section ^we discuss additional variants of the matching Difhe-Hellman 
problem. 
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2 Matching DifRe-Hellman and Decision DifRe-Hellman 

In this section we formally define the Matching DifRe-Hellman and the Decision 
Diffie-Hellman problems. We begin by defining the common setting. 

Common setting. For security parameter n, primes P and Q are chosen such 
that |P — 1| = (5 -I- n for a specified constant S, and P = jQ + 1, for a specified 
integer 7 . Then a unique subgroup Gq of prime order Q of the multiplicative 
group Zp and a generator g of Gq are defined. All the subsequent calculations 
are performed mod P, except operations involving exponents, which are per- 
formed mod Q. 



Definition 1. (Decision Diffie-Hellman Problem) For security parameter 
n, P a prime with |P— 1| = S+n for a specified constant S, for g G Zp a generator 
of prime order Q = {P — 1)/^ for a specified integer 7 and for uniformly chosen 
a,b Gr Gq, given [g°‘,g^,y] output 0 if y = (mod P) and 1 otherwise, with 
probability better than 7 + for some constant c for large enough n. 

The decision Diffie-Hellman assumption (DDH) states that it is infeasible 
for a p.p.t. adversary to solve the Decision Diffie-Hellman problem. 



Definition 2. (Matching Diffie-Hellman Problem) For security parameter 
n, for uniformly chosen ai,bt Gr Gq (i G {0, 1}^, P a prime with |P — 1| = 
S n for a specified constant S, and for g G Zfi a generator of prime order 
Q = {P — l )/7 for a specified small integer 7 , given [g‘^°,g^°], and 

go-rbr ^gafbr ^ T, f Gr {1,0}, t 0 f = 1, find V wUh probability better than 5 + 
for some constant c for large enough n. 

The matching Diffie-Hellman assumption (MDH) states that it is infeasible 
for a p.p.t. adversary to solve the Matching Diffie-Hellman problem. 

Clearly, the DDH problem is at least as hard as the MDH since via two 
calls to a decision oracle we can solve the matching problem. The goal of the 
next section is to show the equivalence of these two problems. Intuitively, the 
problem of mapping the right Diffie-Hellman triplets together seems related to 
deciding whether a given triplet is a correct Diffie-Hellman triplet or not. But 
it is not clear whether, and how, one can use the seemingly weaker matching 
oracle to solve the decision problem. Here we prove the reduction by giving an 
exact construction to achieve it. We only show one direction (matching oracle 
to decision oracle) since the converse is straightforward. 

These results can be extended to the case where an adversary has to select 
which of two ciphertexts maps to which of two plaintexts (indistinguishability 
of encryptions), versus where she has to decide whether a given ciphertext is 
the encryption of a given plaintext. In other words, we show that indistinguisha- 
bility of encryptions (and therefore semantic security) is equivalent to deciding 
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whether a given ciphertext corresponds to a given plaintext. This however only 
holds under a specific assumption on the encryption scheme. Under this assump- 
tion, this is an extension of the notion of “matching” (distinguishability) of two 
ciphertext/plaintext pairs, as traditionally defined in 

3 Matching DifRe-Hellman is at Least as Hard as 
Decision DifRe-Hellman 

In this section we show how an attacker, given an oracle that solves the MDH 
problem with probability non negligible better than i (random guessing), can 
decide whether a given triplet is a correct Diffie-Hellman triplet or not with 
probability non negligible better than random guessing. We are dealing with the 
uniform case. 



Theorem 3. Assume that there exists a probabilistic polynomial time Turing 
Machine which given an instance of the Matching Diffie-Hellman Problem gives 
the correct answer with probability better than 5 + for some constant c for 
large enough n. Then, there exists a p.p.t. TM which, given an instance of the 
Decision Diffie-Hellman Problem, gives the correct answer with probability better 
than ^ for some constant c' for large enough n' . 

Proof. The proof is constructive. We show the steps that an adversary needs to 
take so that given a decision Diffie-Hellman problem she can solve it using the 
matching Diffie-Hellman oracle. This involves two phases. 

1. Testing Phase. 

In this phase the oracle’s behavior on incorrect inputs is tested. We will 
show that the oracle distinguishes either between two correct triplets and a 
correct and an incorrect one, or between a correct and an incorrect triplet 
and two incorrect ones. This fact will be used in the next phase to help us 
decide on whether the candidate Diffie-Hellman triplet is correct or not. 
First observe that if the oracle is given two random (i.e., non Diffie-Hellman) 
triplets, it cannot guess the attacker’s random coin tosses for r, simply be- 
cause no information (in the Shannon sense) about r is encoded in the input 
to the oracle. Formally, assume that the attacker uniformly and indepen- 
dently selects r Gji {0, 1}, Oi, bjli G {0, 1}), 'c, w G_r Gq, and then uses the 
oracle to estimate the quantity^ 

where v,w ^ Qibi (mod Q), for i G {0, 1}. It is clear that the probability 
of the oracle in finding r better than random guessing is negligible, since r 

^ Note that the notation A[x\ = r is a shortcut of saying that the adversary produces 
the correct “match” . Thus we implicitly assume that an answer of 0 means that the 
first pair, in this case ,g^°, matches with the first number (f?”); and vice-versa, 
an answer of 1 means that the first pair matches with the second number. 



280 



H. Handschuh, Y. Tsiounis, M. Yung 



is chosen randomly and independently of v, w and no information about r 
is included in the oracle’s input. For clarity, we assume that the attacker 
has a success rate less than i.e., that the oracle is run sufficiently many 
(polynomial) times so that the accuracy is So we have that 






< 



2n° 



( 1 ) 



On the other hand, from the assumption on the power of the oracle, we know 
that 



In other words, the difference of behavior between two random triplets and 
two correct triplets is non-negligible. In particular, we have the following: 

Lemma 4. For every ai,bi, Ci, di,i G {0,1}, for uniformly and indepen- 
dents chosen r Gr {0,1}, v,w Gr Gq, and for large enough n, it holds 
that^ 

Zl( [a, 6, 1 , 1] , [c, d, 0, 0]) = I Pr [A{[g<^« ,g% [5“^ ,g% ) = r] - 

Pr [A([g^o^g%[g^\g%g'’,gn = r] \ > ^ 
Proof. First, from equation Q we have 



Pr[A{[g‘^o,g%[g‘^\g%g\gn 



1 

2 



1 

~ 2n'= 



Proceeding to prove the claim, we use the above together with equation Q 
to get: 

Zl([a, 6, 1, 1], [c, d, 0, 0]) = |Pr[^([ 5 “», 5 '^], = r]- 

{Pr[A{[g<^°,g% [g^\ g% g'’ , g^ = r] - i) | > 

\Pr[A{[g^o^g’^% [^“b = 

\Pr[A([g^o^g%[g<^\g%g'’,gn = r]-^\ > 

1 - |Pr[^([5^b5"l, [5^b5"b,fl",5“) = ^ I > 

1 1 1 

2n'= ~ 2n'= 

^ The notation here is as follows: [a, 6, i, j] signifies that a pair of triplets is given, such 
that when i (resp. j) is 0 the first (resp. the second) triplet is incorrect, and when it 
is 1 the triplet is a correct D-H triplet. 
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Now we show how the actual testing phase proceeds. First the attacker uni- 
formly selects v £ a Gq and estimates the difference 



Z\( [a, 5, 1 , 1] , [e, /, 1 , 0] ) = I Pr [^( [ 5 ““ [ 5 “^ ) = r] - 

Pr [A{[g‘^°,gf°],[g‘^\gf^],g^,gy) = r] \ , 

where x^y €_r {erfr,v}. The estimate is given with accuracy Now if 
the estimate is greater or equal to then the actual difference is at least 
T§nx ~ “ 8n^ ■ attacker can distinguish 

between two correct triplets and one correct/one incorrect triplet. If the 
estimate on the other hand is less than then the actual difference is 
less than jn this case we say that the attacker cannot 

distinguish. 

Now we will show that if the attacker cannot distinguish as above, then it 
must be able to distinguish between one correct/one incorrect triplet and two 
incorrect triplets. Starting from lemmaj we have (definitions of variables 
are similar as above; we omit details): 



^ < Z\([a, 6,1,1], [c,d, 0,0]) 

= I Pr[A{[g<^«,g% -?'^], 5 “^'^) = r]- 

Pr[A{[g‘=o^g'^o^,[g^\g%g\gn = r] \ 

= I Pr[A([g^o^g% [g^\ g% g^^'^G = r] - 

Pr[A{[g^°,gf°], [ 5 ®b /b > 5 "" > 5 ^) = r] + 

= r]~ 

< I Pr[^([5“»,5^»], = b - 

Pr[A{[g^° , g^°], [/b /b > s"" , 5 ^) = b I + 

I Pr[A{[g^°,g^°], [s®b /b> ff"". 5^) = r]~ 

Pr[^([5^b5'^bb/b5"b,17b5"') = b I 

= Z\([a, 6, 1, 1], [e, /, 1,0])+ zi([e, /, 1, 0], [c, d, 0, 0]) 

Thus, for uniformly chosen e^, fi, i € {0, 1}, i.e., Pr[(ei, fi)] = £^nd for 

j enumerating all possible pairs, we have: 



E, [Z\([a, 6, 1, 1], [e, /, 1, 0]) + Z\([e, /, 1, 0], [c, d, 0, 0])] > E, 



1 

2n^ 



E, Z\([a,6,l,l],[e,/,l,0])+i7, Z\([e, /, 1, 0], [c, d, 0, 0])] > |Gq^ 
Pr[(,ei, fi)] 






1 






IGs’lr, Pr[{e,. /i)]/l([<i, 6, 1, 1], [e, /, 1,0]) 
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\Gq^\Ej Pr[{ei, fi)]A{[e, f, 1,0], [c,d, 0,0])] > \Gq^\^ ^ 

Ej Pr[{ei, fi)]A{[a,b,l,l],[e, f, 1,0]) + 

Ej Pr[{ei, fi)]A{[e, f, 1,0], [c,d,0,0])]> ^ 

E[A{[a, b, 1, 1], [e, f, 1, 0])] + E[A{[e, f, 1, 0], [c, d, 0, 0])] > ^ , 

where the expectancy is taken over the choice of the triplets (cj, fi). 
Therefore, if E[A{[a, b, 1, 1], [e, f, 1, 0])] < ^ then we have E[A{[e, f, 1, 0], 
[c,d, 0 , 0 ])] > 4 ^. 

In summary, the oracle can be used to distinguish either between two correct 
triplets and one correct/one incorrect triplet, or between one correct/one in- 
correct triplet and two incorrect ones. 

2. Decision Phase. Now we can use the result of the testing phase to decide 
whether the given triplet is a D-H triplet or not. 

(a) Suppose the attacker can distinguish between two correct DH triplets 

and one correct/one random triplet. Then she can input a randomized 
sequence and 2 '"’') where [g^°,g^'^,Z] is 

the target Decision Diffie-Hellman triplet, to the MDH oracle. If the 
behavior on these inputs is different from the behavior when fed with 
a sequence of two randomized correct triplets, conclude that the target 
DDH triplet is an incorrect Diffie-Hellman triplet. Else, conclude that it 
is a correct Diffie-Hellman triplet. 

In other words, the attacker uses the oracle to estimate the following 
difference: 

A{[a, b, 1, 1], [(a, b), {x, y),l ,i]) = 

Pr[A{[g^°,g'^%[g^,gy],X,Y) = r] ] , 

where X,Y G/j {g°‘°^° , Z} and i is 1 or 0 depending on whether the 
candidate triplet is a correct or incorrect D-H triplet respectively. We 
implicitly assume here that the inputs to the oracle are randomized as 
described above. The estimate of the difference is given with accuracy 
— Now if Z 7 ^ g^y then, as we know from the testing phase, the actual 
difference is at least and the estimate must be larger than — 
Otherwise the actual difference would be 0 and the estimate 
would be smaller than 32 ^ • So depending on the estimate (greater than 
or smaller than the attacker decides whether the input is an 

incorrect, or respectively a correct Diffie-Hellman triplet. 

(b) Otherwise, the oracle is able to distinguish between two random triplets 

and a correct and a random triplet. Then we can feed the MDH oracle 
with a randomized sequence 5 ^“*], [ 5 ®“, 5 ^*'] and where 

[ 5 * 75 ^ 7 -^] is the target Decision Diffie-Hellman triplet and where w 
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does not satisfy the equation w = a^bo (mod Q). If the behavior on 
these inputs is different from the behavior when fed with a sequence of 
two random triplets, conclude that the target DDH triplet is a correct 
Diffie- Heilman triplet. Else conclude that it is an incorrect Diffie-Hellman 
triplet. 

In particular, the attacker uses the oracle to estimate the following dif- 
ference: 

A{\{x,y), {a,b),i,0], [a,&,0,0]) = | Pr[A{[g^ , g^], [g^-^ , g^°], X,Y) = r] - 

Pr [A{[g'^<^,g’>%[g‘^\g%g^°,g^^)=r] \ , 

where X,Y Gr {Z, g^^}, zq, zi, Z2 Gr Gq, and i is 1 or 0 depending on 
whether the candidate triplet is a correct or incorrect D-H triplet respec- 
tively. The estimate is given with accuracy Now ii Z = g^^ then, as 
we know from the testing phase, the actual difference is at least and 
the estimate must be larger than -r^ — — = ttt-t-- Otherwise the ac- 
tual difference would be 0 and the estimate would be smaller than 
as analyzed in the testing phase above. So depending on the estimate 
(greater than or smaller than j^) the attacker decides whether 
the input is a correct, or respectively an incorrect Diffie-Hellman triplet. 



4 Universal Malleability Implies Matching = Decision 

In this section we will show that for some special classes of cryptosystems in- 
distinguishability of encryptions is equivalent to being able to decide whether 
a given ciphertext corresponds to a given plaintext. More precisely, we know 
that indistinguishability of encryptions is equivalent to semantic secu- 
rity. That is, if some information is leaked from the ciphertext then two cipher- 
text/plaintext pairs can be “matched” (distinguished); and vice-versa. What we 
do not know, however, is, given that indistinguishability does not hold, what kind 
of information can be extracted about the ciphertext | Here we show that, under 
certain assumptions about the encryption, if indistinguishability /semantic secu- 
rity does not hold, then given a pair of plaintext and ciphertext it is possible to 
decide whether the ciphertext comes from this plaintext. Of course this implica- 
tion only makes sense in either symmetric encryption or probabilistic asymmetric 
encryption, since in deterministic asymmetric encryption it is straightforward to 
make this decision: simply encrypt the plaintext and compare to the candidate 
ciphertext. 

We begin by reiterating the definition of indistinguishability of encryptions. 

Definition 5. (encryption secure in the sense of indistinguishability) 

An encryption scheme (G, E, D) is said to be secure in the sense of indistin- 
guishability if, for every probabilistic polynomial time algorithm F (for “Find”), 

® Of course th e existi ng proofs of equivalence between semantic security and indistin- 
guishability constructively extract some information, but this is limited to a 

specially fabricated function of some specified plaintext/ciphertext pairs. 
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for every probabilistic polynomial time algorithm A, for every constant c > 0 and 
for every sufficiently large n, 



Pr 



F(l") 



(a,/3,7) s.t. f2(a,/3,7) > 



1 




with 

= \Pr[A{{"f),Ec{in.){a)) = l} - Pr{^(7, £;g( 1")(/3)) = l}| , 

where the probability is taken over the coin tosses of F, A, E and G. 

For our purposes, we need an additional assumption about the encryption 
scheme. Intuitively, we need to be able to “randomize” any plaintext/ciphertext 
pair, such that the resulting pair can obtain all possible values. We name the 
encryption schemes that satisfy this property “universally malleable,” to be con- 
trasted to non-malleable schemes that prohibit altering of the cipher- 

text. The formal definition follows. 



Definition 6. (Universal malleability) An encryption scheme (G, E, D) is 
called universally malleable if for all but a negligible part of plaintext- ciphertext 
pairs (a, Ec(in-j(a)) G (Xn,Vn), there is a random variable Zn and a p.p.t. TM 
T such that 



— for every z G Zn, it holds that T(a, Ec{i^)(a), z) = (5, Gc(i’*)(^))) 

— for all but a negligible part of pairs (c,d) G (X„, Y„) there is a z' G Zn such 
that T{a, EQ(^in.'f{a), z') = (c,d). 



Remark: this definition may seem too restrictive, but in fact there are several 
encryption schemes, at times provably semantically secure under some assump- 
tions, which satisfy it. Examples include the ElGamal cryptosystem 



the Okamoto-Uchiyama cryptosystem 



|, the Naccache-Stern higher-order 



residue cryptosystem and the Goldwasser-Micali quadratic-residue cryp- 
tosystem Typically this property is derived from the random self re- 

ducibility of some underlying problem in which the encryption is based on — be 
it quadratic or higher order residuosity, the Diffie- Heilman problem, or factoring. 



We now proceed to formally define and prove our statement. Again we work 
in the uniform model of computation. 

Theorem 7. Assume that a universally malleable encryption scheme (G, E, D) 
is not secure in the sense of indistinguishability. Then there exists a p.p.t. TM 
which, given a pair (a, EQ(^in^(b)), can decide non-negligible better than random 
guessing whether a = b. 

Proof. If an encryption is not secure in the sense of indistinguishability then 
there exists a p.p.t. adversarial algorithm A (which can be seen as the “oracle” 
that “breaks” the encryption scheme), a (polynomial) random variable Zn and 
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two independent (polynomial) random variables that have the same 

distribution, such that: 



3 c > 0,3 N, s.t. for infinitely many n > N , Pr[(X„y„Z„ 



) eB^]> — , where 
n'= 



Bn = I (a, A 7) : |Pr £^G(i-) («)) = l] - Pr [A{j, Ea(i<^){(3)) = l] | > ^| , 

where the probabilities are taken over the coin tosses of the key generating 
algorithm G, the encryption algorithm the adversarial algorithm A, and 

the selection of (a,/ 3 , 7). 

We will show how this adversarial algorithm can be used by an attacker to 
decide whether a = 6, in the given pair {a, Ea(\n){b)). For simplicity, we will 
write (a, E(h)). 

The process requires three phases (including the preparation phase). 

1. Preparation phase. In this phase the attacker finds two plaintexts whose 
ciphertexts she can distinguish. This is possible given the assumptions on 
the power of the adversarial algorithm A above. 

Specifically, the attacker chooses a random message pair (mo, mi) from the 
distribution Xn and tries to estimate the following probability: 

Pr[A{[mo, mi], [E{mr), E{mf)]) = r] - ^ 
where r G/j { 0 , 1 }, r 0 f = 1 

with accuracy better than Now if the estimate is greater than 
the actual probability is greater than ^ ^ ^ and the message 

pair is selected for the next step. Otherwise it is rejected and a new pair 
is selected. The number of experiments needed to estimate this probability 
with accuracy is polynomially bounded since the encryption scheme is 
not secure in the sense of indistinguishability, and it can be computed using 
the Hoefding inequality. 

Note that the estimation is performed by randomizing the input to algorithm 
A. This is where the property of universal malleahility is crucial, in guaran- 
teeing that the randomization will always succeed and that the randomized 
input can take all possible values: recall from the definition that for every 
(m, E{m)) G (X„, T„) and z' it holds that T{m, E{m),z') = {b, E{b)) 

for some b G X„, for all but a negligible part of plaintexts m. Therefore we 
can randomize the input sequence to the oracle. Now, from the second part 
of universal malleability we have that for all but a negligible part of pairs 
(c, d) G (Xn,Yn) there is a 2:' G Z„ such that T{m, E{m), z') = (c, d). Thus 
a randomization of {m,E(m)) achieved by T choosing a random Gfl Zn 
as above, results in a uniformly chosen pair from the distribution (X„, T„), 
and all but a negligible fraction of those pairs can be generated by T in this 
manner. 
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Let mo and mi be the two messages that the algorithm can distinguish. We 
denote this as follows: 

Pr[A{[mo, mi], [E{rrir), E{mr)]) = r] - i > ^ , ( 3 ) 

where r Gr {0, 1}, r0 f = 1. 

2 . Testing phase. As in section J assume that the attacker uniformly and 
independently selects r G/j {0, 1}, m2, m3 Gr A„, v,w Gr Vn, and then uses 
the oracle to estimate: 

Pr[A{[m2,m3],[v,w]) = r]-^ , 

where r;, w do not encrypt m2 nor m3. Then again it is clear that the proba- 
bility of the oracle in finding the attacker’s random coin tosses for r is negli- 
gible (we formalize it as less than 2^)1 since no information (in the Shannon 
sense) about r is included in the input of A. Thus, combining equation 
we have the equivalent of lemma^ 

Lemma 8. For every m2, m3 Gfi Gr {O,l},r 0 r = l,v,w Gr Y^, 

and for large enough n it holds that 

Z\([mo,mi, 1 , 1 ], [m2, m3, 0 , 0 ]) = ] Pr [A([mo,mi], [E{mr), E{mf)]) = r] - 

Pr [A([m2,m3], [1;, w]) = r]] > ^ 

Now the attacker runs algorithm A in order to estimate the difference: 

Z\([mo,mi, 1 , 1 ], [m4, ms, 1 , 0 ]) = ] Pr [A([mo,mi], [E{mr), E{mf)\) = r] - 

Pr [A([m4,m5], [A, Y]) = r]] , 

where X,Y Gr {E{mi),t},t Gr Yn,r Gr {O,l},r 0 r = 1 . 

The estimate is given with accuracy as in the preparation phase, we 

use the property of universal malleability to allow A to randomize the in- 
put and run the oracle as many times as dictated by the Hoefding inequal- 
ity. As in section J we can test if the difference here is significant, i.e., 
greater than or equal to In this case, the actual difference is at least 

T§n^ ~ TEn^ ~ 8 n^’ attacker is able to distinguish between two cor- 

rect plaintext/ciphertext pairs, and one correct and one incorrect one. If on 
the other hand the estimate is smaller than the actual difference will 

be smaller than tJ-f + tJ—f = and as in section H we can show that 
Z\([m4, m3, 1 , 0 ], [m2, m3, 0 , 0 ]) will be greater than In other words, the 
difference between two incorrect plaintext/ciphertext pairs, and one incor- 
rect and one correct pair has to be significant. This is shown as follows: 

^ < Z\([mo,mi, 1, 1], [m2, m3, 0,0]) 
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= \Pr[A{[mo,mi], [E{mr), E{mf)\) = r] - Pr[7l([m2, m3], [w, wj) = r]| 
= |Pr[^([mo,mi], [E{mr), E{mf)]) = r] - Pr[^([m4, ms], [X, F]) = r] 
+ Pr[4l([m4,m5], [X, F]) = r] - Pr[7l([m2, m3], [v,w]) = r]\ 

< ]Pr[ 4 l([mo,mi], [E{mr), E{mf)]) = r] - Pr[ 7 l([m 4 , ms], [X, F]) = r]J 
+ ]Pr[ 4 l([m 4 ,ms], [^, i^]) = r] - Pr[ 4 l([m 2 , m 3 ], [f, w]) = r]J 
= Z\([mo,mi, 1, 1], [m 4 , ms, 1, 0]) + Z\([m 4 , ms, 1,0], [m 2 , m 3 , 0,0]) 

Thus, for uniformly chosen 1714,1715 Gr Xn, i.e., Pr[(m4,ms)] = 
for j enumerating all possible pairs, we have: 



r. 



[Z\([mo,mi, 1 , 1 ], [m4, ms, 1 , 0 ]) + 

Z\([m4,ms, 1 , 0 ], [m2, m3, 0 , 0 ])] > ^ 

Ej Z\([mo,mi, 1 , 1 ], [m4, ms, 1 , 0 ]) + 

Sj Z\([m4,ms, 1 , 0 ], [m2, m3,0,0]) > ^ 

\Xn\‘^Ej Pr[(m4,ms)]Z\([mo,mi, 1 , 1 ], [m4, 

i-i^i2r^ 7-»r/ M/t/r 



, Ws, 1,0]) 






2 1 

Pr[(m 4 ,ms)]Z\([m 4 ,ms, 1,0], [m 2 , m3,0,0]) > |X„| — 

Ej Pr[(m 4 ,ms)]Z\([mo,mi, 1, 1], [m4, ms, 1,0 

T", Pr[fm 4 , ms)]Z\f[m 4 , ms, 1, 0], [m 2 , m3, 0, ,^ 1 , ^ „ 

2n'= 



j i-r[(i7i4,m5j\4A[[mo,i7ii, r, rj, [m4, ms, r,ujj 
bj Pr[(m4,ms)]Z\([m4,ms, 1 , 0 ], [m2, m3,0,0]) > ^ 

£l[Z\([mo,mi, 1 , 1 ], [m4, ms, 1 , 0 ])] + 

1 

E\A(\m 4 . 



1 m r 



where the expected values are taken over the choice of the pair {1714, ms). 
Therefore, if if[Z\([mo, mi, 1 , 1 ], [m4, ms, 1 , 0 ])] < ^ then it must be that 
£l[Z\([m4,ms, 1 , 0 ], [m2, m3, 0 , 0 ])] > 

This concludes the proof that the oracle may either distinguish between two 
correct plaintext/ciphertext pairs and one correct/one incorrect pair, or be- 
tween one correct/one incorrect pair and two incorrect plaintext/ciphertext 
pairs. 

We now proceed to the last phase. 

3 . Decision phase. In this phase we use the result of the testing phase ac- 
cordingly. If the first difference is significant, then the attacker estimates the 
difference 



Z\([mo,mi, 1 , 1 ], [m4, a, l,z[) = | Pr [4l([mo,mi], [E{mr), E{mr)]) = r] - 

Pr [4l([m4,a], [X,T]) = r]| , 
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where X,Y Gr {£{7714), E{b)}. The estimate is given with accuracy 3^, 
after polynomially many trials. In each trial each plaintext/ciphertext pair is 
randomized over all (but a negligible part) of possible combinations (c, d) G 
{Xn, Y„); again we utilize the universal malleability property to do this, as in 
the preparation phase. Now as we know from the testing phase if a 7^ 6 the 
actual difference is at least g^, so the estimate in this case must be greater or 
equal to ^ — 3^ = 3^- Otherwise, if a = 5 the actual difference is 0 and 
the estimate must be less or equal to 3^. Therefore depending on the esti- 
mate (greater than or smaller than 35^) the attacker decides whether 
the input is a correct {i = 1) or an incorrect (i = 0) plaintext/ciphertext pair. 

Accordingly, if the testing phase showed that the second difference is signif- 
icant, then the attacker estimates 

Z\([a, m5,i,0], [m2, m3, 0,0]) = | Pr [A([a, ms], [A, F]) = r] - 

Pr [A([m2,m3], [f;, w]) = r]\ , 

where X,Y Gr {E{b),t},t,v,w Gr F„. Here the required accuracy is 
If a = 6 then from the testing phase we know that the actual difference is at 
least 3^, and therefore the estimate will be larger than ^ 

Otherwise, when a^b, the difference would be 0 and the estimate would be 
smaller than Here again, the attacker can decide whether the input to 
algorithm A is a correct (i = 1) or an incorrect (i = 0) plaintext/ciphertext 
pair depending on the value of the estimated difference (above or below 
Again note that universal malleability is fundamental to this proof in 
order to be able to feed the oracle with a randomized input sequence. 

5 Extensions 

The original version of the matching Difhe-Hellman problem, defined in 

was slightly different from the one used in the analysis above. For convenience 

we name it “matching D-H H” . 

Definition 9. (Matching Diffie-Hellman Problem II) For security param- 
eter n, for uniformly chosen at, bi Gr Gq (i G {0, 1}^, P o prime with ]P— 1] = 
S n for a specified constant 5 , and for g G Zf, a generator of prime order 
Q = {P — l)/7 for a specified small integer 7, given [5““, 5““^”], [5“b5“^^^] and 
gbr ^gbf ^ r, f Gr {1,0}, r0 f = 1, find r with probability better than ^ for 
some constant c for large enough n. 

Using the same techniques of section Q it can be shown that this version 
of the problem is also equivalent to the decision Diffie-Hellman problem, and 
therefore the two versions of the “matching” problem are equivalent. 
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Abstract. Public- key certificates play an important role in a public- key 
cryptosystem. In a public-key infrastructure, it is a presupposition that 
only the issuer of a signature knows the signing key. Since the security 
of all clients of the CA depends on the secrecy of the CA’s signing-key, 
CA’s will pose an attractive target for break-ins | ' - | . 

Once there is a leakage of information on the signing key, the whole 
system has to be reconstructed as quickly as possible in order to prevent 
the spread of damage. However, it requires a long time to reconstruct all 
certificates, because it involves large computation and communication. 
In this paper, we present a practical solution to cope with the leakage 
of the CA’s signing-key. In our protocol, two random number genera- 
tors (RNG) generate distinct random numbers, and combine them to a 
random number utilized in the signature algorithm and the timestamp 
which cannot be forged without revealing the secret of both RNG. A 
verifier can check the timestamp and verify validity and time when the 
random number has been generated. That is, it is impossible for adver- 
saries to forge arbitrary certificates without revealing the secret of both 
RNGs. 

We show a concrete protocol suitable for a digital signature scheme based 
on the discrete logarithm. 



1 Introduction 

1.1 Motivation 

With the spreading use of networks, digital signatures and public-key cryptosys- 
tems are often used to assure identity, as well as integrity. In these systems, a 
public-key certificate plays an important role in order to thwart attempts to sub- 
stitute one public-key for another. A public-key certificate is someone’s public 

* This work was performed in part of Research for the Future Program (RFTF) sup- 
ported by Japan Society for the Promotion of Science (JSPS) under contact no. 
JSPS-RFTF 96P00604. 
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key, signed by a trusted person (usually known as a certification authority, or 
CA) . In the public-key infrastructure, it is a presupposition that only the issuer 
of signature knows the signing key. Since the security of all clients of the CA 
depends on the secrecy of the CA’s signing-key, the CA’s will pose an attractive 
target for break-insj|. 

Many solutions to keep the attractive information for adversaries secure have 
been already proposed^H^^J. Especially, the threshold cryptosystem (intro- 
duced by Desmedt and Frankel~) enhances the security of the key by sharing 
it among a group of servers. An attack to this threshold cryptosystem cannot 
be successful without revealing more than threshold of shares (within a given 
period of time). Using a sufficiently high threshold can practically assure the 
security of the CA’s signing key. 

However, if an adversary should reveal more than a threshold of shares and 
compute the original CA’s signing key, the threshold cryptosystem provides no 
measure to cope with this critical situation. Accordingly, once this attack has 
been achieved, there is no practical way to repair the system except the total 
reconstruction of the system. Then, the CA has to produce a new signing key, 
renew all certificates that has been issued, and send them back to each client of 
the CA. However, it is a serious problem to renew the CA’s signing key, because 
it takes a long time to renew a large number of certificates. On the other hand, 
the adversary who knows the CA’s signing key can produce arbitrary forged 
certificates that pass the verification. Therefore, the renewal of all certificates has 
to be performed as quickly as possible before spreading a lot of forged certificates 
and increasing the damage over the network. 

1.2 Checking Random Number and Timestamping 

The purpose of this study is to show a practical solution to cope with the leakage 
of the CA’s signing-key. What is significant in our protocol is that a verifier can 
verify the validity of the random number utilized in the CA’s signature algorithm 
by checking the timestamp[j]. Since it is distinguishable whether the certificate 
is produced in accordance with regular procedures of the CA, the adversary 
cannot forge the certificate even after the leakage of the CA’s signing-key. More- 
over, we divide the procedure to generate the random number and to produce 
the timestamp into two parts. Two random number generators (RNG) generate 
distinct random numbers and the CA combines them to a single random number 
utilized in the signature generation algorithm and to produce a timestamp which 
cannot be forged without revealing the secret of both RNG. 

We assume that the entire secret of the CA is revealed to an adversary at some 
point of time, while the secret of both RNGs is not revealed. On this assumption, 
we present a practical and secure protocol to generate the random number with 
a timestamp that allows the verifier to check the validity of certificate. 

In our scheme, a verifier can check the validity of the random even after the 
leakage of the CA’s signing-key. That is, our protocol plays a part as insurance 
for the existential faults. If the random number is correct, the client of the 
certificate gets the CA to issue a new one, otherwise, this certificate is rejected 
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and disapproved in future. Since it is not necessary to renew the whole system 
immediately, the transaction for the CA to issue the certificates can be shared 
from the viewpoint of computation and communication. We present an efficient 
procedure to reconstruct the system and renew all of the certificates. 

We show the concrete protocol suitable for a digital signature scheme based 
on the discrete logarithm problem (DLP)|^J^^. Our scheme is applicable to 
most of the digital signature scheme based on DLP and has many applications 
in the practical network. 

1.3 Related Research 

Before we discuss our protocol in detail, we discuss the background of our re- 
search and the difference between previous works and our result. 

As a way to cope with attack to public-key certification scheme, various 
techniques to enhance the security have been always proposed. 

If one of the certificates should be spoiled for any reason, the CA has to revoke 
it as soon as possible. This problem generally called ’’certification revocation”, 
is still a difficult one to solve. The use of a CRT (certification revocation list) 
13 is the most common way of revoking certificates. The CRT is a list of invalid 
certificates and it is published over a network. On checking the validity of the 
certificates, the verifiers can employ the CRT in order to check that a certain 
certificate is not listed as revoked. However, the CRT is effective only if the 
number of revoked certificates is considerably smaller than the number of total 
distributed ones. For the considered threat, namely, an exposure of the CA’s 
signing key, a CRT is not enough, because the CA has to revoke all of the 
certificates that have been distributed before. Our proposed scheme is effective 
in this case, because the validity of certificates, i.e. whether the CA correctly 
generate the signature, is publicly verifiable by checking the random number 
used within the signature. As far as we know, little is known about the concrete 
method to cope with the exposure of CA’s signing key efficiently. 

To use the CRT together with our scheme can make it flexible to renew the 
CA’s signing-key and all of certificates. When there is the leakage of the CA’s 
signing key, it is necessary to renew all certificates, however, they cannot be 
renew all at once. A practical solution is to distribute the renewing transaction 
from the time’s view. CRT is applied to the verification of certificates which has 
been issued before the leakage, and our renewal procedure gives certificates which 
has been issued after the leakage priority. Consequently, the combination of the 
CRT and our scheme reduces the load of the CA from the implementation’s 
view. 

Turning now to the way to make the CA’s signing-key secure, the elegant 
solutions are well known, that are, threshold signature schemesHH- Using a 
(t, n) threshold signature scheme, the secret key is shared by a group of n players 
and any coalition of t(t < n) players can produce a new valid signature on a given 
message m. Our scheme and (2, 2) threshold signature schemes seem to share 
certain similarities in that the coalition of two players (RNG, in our case) can 
produce a new valid signature on a given message 
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However, the threshold signature scheme is different from ours, from compu- 
tation’s and communication’s view. The threshold signature scheme distributes 
the trust among parties symmetrically and achieves the high-level security even 
in the presence of a minority of a malicious party^J. However, its protocol con- 
tains a number of computations and communications on a secure channel. Our 
scheme reduces the number of computations and communications substantially, 
such that our protocol is applicable to low-power devices that generate random 
sequences. Therefore, we consider no malicious devices, that is, we regard these 
devices as tamper-resistant and low-power devices. Indeed, the number of com- 
putation is only two and the number of modular exponentiation in each RNG is 
only one. In addition, our scheme is not an idea directly opposed to the threshold 
signature scheme. Since our scheme does not manipulate the signature scheme 
itself, it is easy to modify our scheme to work together with existing threshold 
signature schemes. 

Our generation of random number is different from the previous generation 
that has been done in The previous one does not show any way for an 

outsider to check the random number. The random number generated by our 
scheme is publicly verifiable whether or not the random number is generated by 
the authenticated RNGs. Moreover, in our scheme, the authenticated random 
number cannot be generated without breaking both RNGs. 

Digital signature schemes based on DTP are often used in various scenarios^ 
In such schemes, the random number r is required for generating a 
signature, and appears at the verification of the signature. Since random 
numbers generated in our scheme satisfy the conditions required in general DLP- 
based signature schemes, our scheme is applicable to various systems without 
specifying the signature generation algorithm. 



1.4 Outline 

The rest of this paper is organized as follows: In Sect. 2 we describe the protocols 
we use as building blocks and give the basic assumptions. In Sect. 3 we describe 
our protocol. In Sect. 4 we analyze the requirement and the efficiency of our 
protocol. Finally, Sect. 5 contains conclusions. 

2 Preliminaries 

2.1 Definition 

The following notations are used in the sequel: 

CA (Certification Authority) An issuer of all certificates. We assume that 
there is the leakage of the entire secret of the GA (not including RNGs) to 
an adversary at some point in time. 

RNG(Random Number Generator) The RNG is the random number gen- 
erator. The RNG is tamper-resistant but computationally limited. In our 
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scheme, two RNGs (denoted as RNGi, RNG 2 ) generate the random num- 
bers. Then, the CA combines their values to a value that is utilized as the ran- 
dom number in a signature generation. Therefore, Both RNG\ and RNG 2 
have the following property in communication. 

~ RNGi has secret communication channels to RNG 2 and the the CA. 

— RNG 2 has secret communication channels from RNGi and to the CA. 
User A member who has his own certificate and uses it in the verification. A 
user’s certificate has to ber issued by the CA. 

Verifier A member who verifies a certificate. Since the storage capacity of the 
verifier is limited, he cannot hold the information of all users. 

Adversary A person who attempts and succeeds in break-ins to the CA at 
some point in time. 

After this, we assume that a certificate means a signature sig appended to a 
message m, where m includes the user’s identity, a value of the user’s public-key, 
the time of issue, etc . 

Finally, we will use the following definition of the parameters. 

Definition 1. Let p and q be large primes such that q\p — 1 and let g be an 
element of order q in Z*. Let H{.) denote a secure one-way hash function which 
maps from the integer space to Z* and symbol || be the bit string concatenation. 
(p, q, g, H) is public. 

2.2 Basic Protocol 

Schnorr Signature Scheme. We apply the Schnorr signature generation al- 
gorithm (extended by Okamoto|^) to timestamp the random numbers. In 
Schnorr ’s scheme, to generate a particular private/public key pair, Alice chooses 
a random number s from 0 < s < q. This is her private key. Then she calculates 

V := g~^ mod p 

The result v is Alice’s public key. Schnorr’s scheme uses a secure one-way hash 
function. To sign a message m, Alice picks a random number r G Z* and does 
the following computations: 

e := H{g'~ mod p||m) 
y := r se mod q 

The signature on the message m is the pair (e, y). To verify the signature. Bob 
computes: 

z := g^v^ mod p 

and tests if e is equal to H{m\\Z). If this test is true. Bob accepts the signature 
as valid. 

In Schnorr’s algorithm, most of the computation for signature generation can 
be completed in a processing stage, independent of the message being signed. 
Hence, it can be done during idle time and does not affect the signature speed^J. 
These features are suitable for our purpose. 
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Combination of Random Number and Secret {Comb). In order to com- 
bine the random numbers generated by the RNGs to a random number utilized 
in the CA’s signature generation, we adapt and optimize the technique of the 
3 -party distributed computation protocol in 

Alice and Bob possess ai £ Zg and 02,62 € Zg respectively. They generate 
random ri € Zg and 62 € Zg, respectively. They wish to let Carol know the 
information about r = (oi -I- 02)62 -I- 6261 (mod g) such that at the end of the 
computation Carol has no information about 01,02,62,61,62. Simultaneously, 
Alice has no information about 02 , 62 , 62 , 6 and Bob has no information about 
01,61,6. 

Definition 2. Two participants, Alice and Bob, secretly possess oi G Zg and 
02, 62 G Zg respectively and choose at random r\ G Zg and 62 G Zg respectively. 
The distributed computation protocol Comb performs to let Carol know the in- 
formation about c = (oi -h 02)62 -h 6261 (mod q) without revealing any additional 
information to each other. The protocol consists of three steps. 

Step.l Alice computes Ai£SA^c{o,id) o,nd Ai£SA^B{ai,ri) using the algo- 
rithm Ti and sends the former to Carol and the latter to Bob. 

oi, 61 Af£ 5 (oi, 61), M£S{ai,ri) 

A^B A— *c 

Step. 2 Bob computes At£5B^c(a2, 62, 62) using the algorithm l2 and sends it 
to Carol. 

Af£ 5 (oi, 61), 02, 62, 62 M£S{a2,C2, 62) 

A^B B^C 

Step. 3 Carol computes r using the algorithm T^. 



M£S{ai,ri) -\- M£S(a2, 62, 62) r 
A—^C A^C 

We show the detail of the algorithm Ti, Ti and T^. We assume that xa,Xb, xq 
are public parameters corresponding Alice, Bob and Carol respectively and all 
arithmetic operation are done modulo q. The protocol works as follows: 

Alice Alice picks two random lines fa^ {x) and fr„ (x) such that they intersect 
with the y-axis at oi, 61, respectively. She evaluates each line at three points 
xa,xb, xc- Next, Alice picks three random numbers C, t2, t^ and a random 
quadratic polynomial fmd{x) such that fmd{Q) = 0 . She computes: 

rA = ifaiixA) + ti)t2 -\- hfr^{xA) + frnd{xA)- 

She computes and sends M£SA^B{ai,ri) to Bob and M£SA^c{ai,ri) to 
Carol (After this, we denote these Alice’s computation Ti). 

Alice — > Bob : M£S{ai,ri) = (/ai (a;_B), /n (a^s), /™d(a;B), C, ^2, ta) 

A. — > B 

Carol : M£S{ai,ri) = {fai{xc), fri{xc), fmd{xc)CA) 

A—>C 



Alice 
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Bob Bob computes t'l = (ti — a2)fxA, t'2 = {t2 — T2 )Ixa and tg = (tg — e2)jxA- 
Note that the three lines = t'iX + a2, fr-z = t'2X + r2 and /e^ = tga; + e2 

intersect with the y-axis at 02, T2, 62 respectively and evaluate to t2,t^ at 
XA- Next, Bob computes: 

XB = ifaiixs) + fa2{xB))fr2{xB) + /es (a:B)/ri (a^s) + frnd{XB) 

and sends M£SB^c{a2,r2,e2) to Carol (After this, we denote these Bob’s 
computation 12). 

Bob — >Carol : M£S{a2,r2,€2) = {fa2{xc), fr2{xc), fe2{xc),rB) 

B — 

Carol From A4£SA^c{ai,ri) and A^£5 b^c(o 2, ?"2, 62), Carol computes: 
rc = ifaiixc) + fa2{xc))fr2{xc) + fe2{xc)fn{xc) + frnd{xc) 

She then interpolates the quadratic polynomial a{x) that passes through the 
points (xA, xa), {xb, i"b), {xc, rc)- Carol has a(0) = r (After this, we denote 
these Carol’s computation Fg). 

To see that a(0) indeed equals r observe that the polynomial a{x) satisfies 

a(a;) = ifaiix) + fa2{x))fr2{x) + /e^ (x) (a:) + frnd{x) 

Indeed, a{xi) = rt for i = A, B, C. It is clear that Alice and Bob cannot learn 
the secret information of each other, in addition to the value of r. 

Lemma 3. Given r, Carol can simulate each transcript of the protocol. Conse- 
quently, she learns nothing more than the value ofr. 

Sketch of the Proof To simulate Carol’s view, the simulator picks at random 
(ai,c ri,c 02, c, 62, c, r2,c rndc) and computes rc = {ai^c+a2,c)r2,c+e2,cri,c+rndc 
and then picks a random quadratic polynomial a{x) satisfying a(0) = r and 
a{xc) = rc- It computes va = ck{xa) and vb = a{xB). These values are a 
perfect simulation of Carol’s view □. 

The number of the messages during this protocol is only three: Alice sends 
MESa^b to Bob and MSSa^c to Carol. Then Bob sends MSSb^c to Carol. 
Moreover, this protocol is efficient in computation since no modular exponenti- 
ation is performed. 



2.3 Basic Assumption 

As a presupposition of our scenario, we assume the following conditions for 
considering the adversary. 

Assumption 2.1 The entire secret information of the GA is leaked to an adver- 
sary at some point in time, including the secret keys and the algorithm. 
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Assumption 2.2 The secret information of at least one of the RNGs is secure 
against break-ins by the adversary. 

The rest of the paper depends on the following assumption. 

Assumption 2.3 (Discrete Logarithm Assumptio^^^) Let q be a large prime 
(s-.g. q > and a a generator of the multiplicative group Z*; under the 

discrete logarithm assumption, when q — 1 has at least one large factor, the 
modular exponentiation function f : x mod q is hard to invert. 

Based on the above assumptions, we will give the description of our protocol 
to maintain the unforgeability of certificates and to facilitate a system recon- 
struction even after there is the leakage of the CA’s secret. 

3 Protocol 

Our protocol consists of four parts, namely, the preliminaries by CA, the shared 
generation of random numbers by RNG\ and RNG2, timestamp and signature 
generation and verification. 

3.1 Preliminary 

The CA randomly chooses three elements si,S2,a of order q — 1 in Z* and 
chooses two integers 01,02 such that o = oi -I- 02 (mod p), where (si,oi) and 
(52,02) are the secret keys of RNG\ and RNG2, respectively, h = g‘^ (mod p) 
and v = g‘‘^h“‘^ are the public verification keys. The CA erases the value o. 

3.2 Shared Generation of Random Number 

At first, the CA inputs the value of H{m) to RNG\ and RNG2. 

RNGi- RNGi picks a random number ri G Z* and does the following com- 
putations: 

RNGi : e\ := H{g'^^ mod p\\H{m)\\t) 

RNGi : yi := ri -|- siCi mod q, 

where H(m) is the message and t is the time and (ci ,yi) is the Schnorr signature 
on the value of H{m)\\t. Simultaneously, RNGi computes the two messages 
Ni£Si^2{ai,ri), A 4 £Si^c{o-iNi) using the algorithm Ti in Definition^ 

RNGi '■ ai,ri A 4 £S{ai,ri),A 4 £S{ai,ri) 

RNGi sends (t, ei,yi, M.£Si^2) to RNG2 and {t, ei,yi,M.£Si^c) to the CA. 
RNGi — > RNG2 : t,ei,yi,M£S{ai,ri) 

RNGi — >CA : t,ei,yi, M£S{ai,ri) 
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RNG2- RNG2 picks a random number V2 S Z* and does the following com- 
putations: 

RNG2 ■ €2 ■= H{h^^ mod p\\H{m)\\t) 

RNG2 ■ 2/2 := r2 + 526162 mod q 

Simultaneously, RNG2 computes the message Ad552^c(o2, 62) using the 

algorithm l2 in Definition^ 

RNG2 ■ M£S{ai,ri),a2,e2,r2 M£S{a2,e2,r2) 

RNG2 sends (t, 62, 2/2, A^f52^c(a2, 62, r2)) to the CA. 

RNG2 — >GA : t,e2,y2,M£S{a2,e2,r2) 

3.3 Timestamp &: Signature Generation 

The CA issues the certificate of user U, that is, the signature sig on the message 
m (including the identity of U, value of the user’s public-key, the time of issue, 
etc .), and transmits it to U. 

The CA computes r = (ai -|- a2)r2 + 62ri from MESi^c and M.ES2^c 
using the algorithm in Definition H The CA uses r as the random number 
for signature generation. 

GA : M£S{auri) + M£S{a 2 ,e 2 ,r 2 )^r 

A set of values {t, ci, 62, 2/2) is the timestamp on the random number r. 

GA : fzmestomp(r) := (t, 6i, 62, 2/2) 

The CA generates the certificates, that is, the signature sig on a given message 
m using the DLP based signature generation algorithm STQ. 

A STQ 

CA : m^r — > sig 

Finally, the CA sends m, sig, timestamp{r) to U and erases r, 2/1. 

GA — !• U : m, sig, timestamp{r) 



3.4 Verification 

The verification procedure is different between before and after the adversary 
obtains the secret of the CA. There is hardly any increase in the number of 
operations in verification before the leakage of the CA’s secret, even though we 
apply our protocol to the normal signature scheme. Since the attack under con- 
sideration here is the extremely rare case that the CA’s signing key is completely 
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leaked to an adversary, the increase in operations with respect to the ordinary 
process should be minimized if possible. 

In case that the CA’s secret has not been leaked yet, the timestamp generated 
by our scheme is not used. Therefore, we will consider the case that there is the 
leakage of the CA’s secret for some reason, e.g. a corrupted administrator or 
break-ins. 

The signature scheme SXQ itself is not secure after this failure. Therefore, 
the verifier checks the random number utilized in the signature scheme. In this 
check, the additional information, namely, timestamp{r) , is used. Through the 
check of the correctness of the timestamp, the verifier can discriminate whether 
the random number used in the signature has been generated by authorized 
RNGs in a correct time. 

The verification procedure works as follows. In the beginning, the verifier V 
computes z = mod p by SXQ. 

V : m, si g g'" {= z) mod p 

V computes: 

V : j := mod p 

and tests whether C2 is equal to H{'j\\H{m)\\t). If this test is true, V accepts the 
random number used in the signature as valid. If false, V sends that result to 
the CA. 



4 Analysis 

4.1 Verifiability 

At first, we will show the verifiability of the correct timestamp. 

Theorem 4 . If the timestamp (t, 61,62,2/2) on random number r is correct, it 
passes the verification procedure. 

Theorem 5 . Our verification procedure can verify the correctness of the time- 
stamp without revealing r itself. 

Sketch of the Proof 

{ yi = ri S161 mod q g~^^ = g^^g^^^^ mod p 

= grie2g.sieie2 ^ 

2/2 = + 526162 mod q mod p 



gyi<^2hV2 modp = mod p 

= mod p (because r = av2 ri62) 

2/^1 = mod p 



62 = H{gy^ mod p||il(m)||t) 

= mod p||il(m)||t) mod p 



□ 
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4.2 Security 

Now we examine the security of our scheme. According to the extent of the 
leakage, we have to consider four cases. 

Case. 1 An adversary has no information about the secret of the CA, RNG\ 
or RNG2- That is, he knows several sets of < m, sig, timestamp{r) >. 
Case. 2 The CA’s secret has become known to an adversary, who has no infor- 
mation about the secret of RNG\, RNG2- That is, the adversary knows the 
algorithm STQ and several sets of < m, sig, r, timestamp{r) >. 

Case. 3 The CA’s secret and RNGi’s secret are known to an adversary, who 
has no information about the secret of RNG2- That is, the adversary knows 
the algorithm S 2 Q, the values of < oi, si > and several sets of < m, sig, r, 
timestamp{r) , ri, yi >. 

Case. 4 The CA’s secret and RNG2’s secret are known to an adversary, who 
has no information about the secret of RNG\. That is, the adversary knows 
the algorithm S 2 Q, the values of < 02, S2 > and several sets of < m, sig, r, 
timestamp{r) , V2 >. 

Note that the random number r can be derived from a pair of < m, sig > 
if there is the knowledge of the signing key, namely, S 2 Q, like in most of the 
digital signature scheme based on the discrete logarithms. 

We informally clarify the security that our protocol has to satisfy. 



Secrecy of Remaining Secrets. In our scenario, we assume that there is the 
leak of the secret. However, the remaining secret should be secure against various 
attacks after that. We will show the remaining secret that has not leaked yet is 
secure in the above cases. 



Lemma 6. For the cases 1,2 and 4, the repetition of the distributed computa- 
tion protocol Comb reveals no information about the values of a\ and r\ in an 
information theoretic sense. 



Sketch of the Proof We consider the worst case, that is, the case. 4. In this 
case, the adversary may know the values of r, 62, j/2 and derive V2 from j/2,S2, 61,62 
every time he performs the protocol. As a consequence of repeating Comb n 
times, the adversary may know n equations and the 3n -I- 1 values < 02, r, r^^\ 






, r2, r '2 



(2) 



„(") 



62, 6. 



(2) 






>. 



r = (oi -I- 02)r2 -I- 62 Ti, = (oi -|- 02)r2^^ -|- 62^Vf ^ 

, • . • , = (oi -I- a2)r2"^ -|- e^^~^ r["'\mod q) 



However, n-|-l values of < ri, r^^\ . . ., oi > are unknown. Therefore, these 
simultaneous equations do not have a unique solution and the adversary cannot 
know the values of oi and ri. □ 



Lemma 7. For the cases 1,2 and 3, the repeated execution of the distributed 
computation protocol C omb reveals no information about the values of 02 and 
V2 in an information theoretic sense. 
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Sketch of the Proof We consider the worst case, that is, the case. 3. In 
this case, the adversary may know the values of < r,e\, 62,1)2 > every time 
he performs the protocol. As a consequence of repeating Comb n times, the 
adversary may know 2n equations and the 4n + 1 values, including ai. 

r = (oi + 02)r2 + e2Ti, = (oi + a2)r^^^ + 

, . . . , = (oi + a2)r^"'^ + 

V2 = r2 + 326162, + 526 ^ ^ 6 ^^\ • • • , + S26^”^e^”^(mod q) 

However, 2n + 2 values of < ri, . . ., r 2 , r^\ . . ., r^\ 02 , S2 > are 

unknown. Therefore, these simultaneous equations do not have a unique solution 
and the adversary cannot know the value of 02 , S 2 and r 2 - □ 

Lemma 8. The security of the value of si is equivalent to that of the signing-key 
of the Schnorr signature scheme. 

Sketch of the Proof (ei, yi) is the Schnorr signature on the value of ( H{m) 
||t). RNGi does not output any other useful information for revealing the value 
of Si. □ 

Using LemmasHandH the following theorem has been shown. 

Theorem 9. The secret of RNG\ is as secure as the Schnorr signature scheme 
against the leakage of the secret of RNG2 and CA, even after the progress of the 
protocol. 

Similarly, the following theorem has been shown. 

Theorem 10. The secret of RNG2 is as secure as the Schnorr signature scheme 
against the leakage of the secret of RNG\ and CA, even after the progress of the 
protocol. 

The proofs are omitted due to space limitation. 



Unforgeability. We have to consider the unforgeability of the timestamp. An 
adversary wishes to generate a new signature for arbitrarily selected messages. 
The signature algorithm STQ itself is meaningless except for case 1, since the 
adversary can forge the arbitrary signature which passes the normal verification, 
using SIQ and the random number which is selected by him at random. However, 
in our verification procedure, it is practically impossible to forge the signature 
without constructing the valid random number corresponding to the message m 
and the time t. Therefore, we will show that there is no efficient way to derive 
the valid random number from the published timestamps, the public parameters 
and the leaked information. 

Theorem 11. The timestamp of one message does not reveal any useful infor- 
mation about any other timestamps. 
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Sketch of the Proof Let m be the message which has the timestamp {t, 
Cl, 62, 1/2) and let the random number be r. Let m! be a message on which the 
adversary wants to forge the random number r' and the timestamp (t', e^, 62,2/2)- 
At first, if the hash function H{-) is collision- free, it is difficult to find {m! ,t') 
such that (r, t, Ci, 62,2/2) = 6^, 62, 2/2) and {H{m)\\t) = {H{m!)\\t'). Next, if 

{H{m)\\t) ^ {H{m’)\\t') and H is secure, there is no correlation between 62 and 
62- Therefore, the knowledge about (r, t, 61, 62, 2/2) is not useful for constructing 
the forged random number and the corresponding timestamp. 

Theorem 12. Any correlation between g and h cannot be found without knowing 
both the secrets a\ and 02- 

Sketch of the Proof Let somebody one know the value of oi such that 
h = g°“ = 2/“^(/“^. li 02 ^ a' 2 , h = g°‘^g°‘'^ is not equal to h' — g°‘^g°‘^, because 
h/h' = ^“2/02 ^ 1. Therefore, the probabilistic distribution of h is uniform and 
equal to the distribution of 02- The same is true to oi. □ 

Theorem 13. Let a,/3 be elements of order q in Z*. The non-trivial values of 
ki, k 2 such that = (3^^ mod p cannot be derived without the knowledge about 
the value a = log^, j3. 

Sketch of the Proof If one can derive k\ and fc2 without a, one can also 
compute log„ j3 = k\jk 2 - This fact contradicts to the assumption^J □ 

Theorem 14. There is no efficient algorithm to derive a valid random num- 
ber and the eorresponding timestamp from the published timestamps, the public 
parameters and the leaked information. 

Sketch of the Proof From Theorem^Jand Theorem^] the adversary has 
to decide the value h,l2 G Z* at first and compute: 

62 = {g^^h}'^ mod p||iL(m)|jt). 



After this, we consider the worst cases 3 and 4. 

Case. 3 An adversary knows the values of oi, si, r. Let A2 = mod p. Here, 

ghhl2 = 

^^Siei-er/e2;^ei^-y2/e2 (mod p) 



From Theorem^J the following equations have to be satisfied. 
gL = gSiei-irrle 2 (mod p) l\ = Si6i -|- r/c 2 (mod q) <;=^ 6i = 

Si 



^ hh+V2/e2 ^ (jjjod p) 

From Theorem^3 ^ non-trivial pair of ^2 + 2/2 / 62 and 61 cannot be derived from 
the second equation. Therefore, the unforgeability of the timestamp holds in this 



case. 
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Case. 4 An adversary knows the value of 02, S2, r. Let Ai = mod p. Here, 

ghb^h ^ 

= //«2;^ei/j«2ei-y2/e2 

From Theorem^J the following equations have to be satisfied. 

gh ^ gr/e2Xli ^ gh-r/e 2 ^ 

hh ^ ^8261-^2/62 = g^ei - 1/2/62 (mod q) j/2 = 62(3261 - I2) 

From Theorem^J a non-trivial pair of li — r j e2 and ei cannot be derived from 
the first equation. Therefore, the unforgeability of the timestamp holds in this 
case as well. □ 

Randomness. Since the random numbers generated by the RNGs are utilized 
in the signature generation, they should have the sufficient randomness. 

Theorem 15. The probabilistic distribution of r is equivalent to that of r\ and 
T2. Consequently, if ri and V2 are random, r is also random. 

Sketch of the Proof r is the linear combination of ri , V2 such that r = 
av2 + 62 ri (mod q). Therefore, the distribution of r is obviously equal to that of 
ri,r 2 - 

4.3 Efficiency 

Modular Exponentiaion and Precomputation In our protocol, most of 
the computation for the timestamp generation, especially the modular exponen- 
tiation, can be completed in a processing stage, independent of the corresponding 
message and time. Hence, it can be done during idle time and does not affect 
the timestamping speed. Moreover, our protocol does not require any modular 
exponentiation at any timestamping stage. This is significant for the implemen- 
tation, e.g. of the random number generator. 

The Number of Communication Our protocol is also efficient in commu- 
nication since the number of messages in our protocol is only three. This feature 
is suitable for a practical use. 

The Length of Timestamp According to 61,62 y\ are 160 bit and t is 
almost 64 bit long. Consequently, the total length of the timestamp is only 550 
bit. This result is also practical. 

5 Conclusion 

In this paper, we presented a practical solution to cope with the leakage of a 
CA’s signing-key. In our protocol, two random number generators (RNG) gen- 
erate the distinct random numbers for they are combined to a single random 



304 



Y. Watanabe, H. Imai 



number which is utilized in the signature algorithm and the timestamp which 
cannot be forged without revealing the secret of both RNGs. The verifier checks 
the timestamp and verifies the validity and the time when the random number 
has been generated. That is, it is impossible for adversaries to forge arbitrary 
certificates without revealing the secret of both RNGs. 

The novel idea of our protocol is to combine the computational efficiency 
of the Schnorr signature scheme^] (extended by Okamoto^J) with the com- 
municative efficiency of the idea of Boneh-Francklin’s distributed computation 
protocol^J. Accordingly, we could achieve a reduction of the computations and 
communications. Our protocol is efficient enough for practical use. 

Our construction of the protocol is based on the discrete logarithm as- 
sumption. Digital signature schemes based on DTP are often used in various 
scenarios^QQ. In such schemes, the random number r is required for gen- 
erating a signature, and g’' appears at the verification of the signature. Since 
random numbers generated in our scheme satisfy the conditions required gen- 
eral DLP-based signature schemes, our scheme is applicable to various systems 
without specifying the signature generation algorithm. 

In this paper, we examined the case of two RNGs. Our future work is to deal 
with more RNGs. 
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Abstract. In this paper we present a new Auto- Recoverable Auto- 
Certifiable Cryptosystem that is based on an algebraic problem different 
from the original system (of Eurocrypt’98). Specifically, our new cryp- 
tosystem uses generalized ElGamal and RSA. It has the following new 
advantages: (1) the escrow authority’s key can be set-up much faster 
than in the original scheme; and (2) It can be used to implement the 
notion we introduce here of what we call “escrow hierarchy.” 

Key words: Key Escrow, Public Key, Auto- Recoverable Auto-Certifiable 
Cryptosystems, ElGamal, RSA, NIZK, software key escrow, escrow hi- 
erarchy. 



1 Introduction 



The problem of conducting software key escrow efficiently in the context of public 
key infrastructure (PKI) was recently solved in In their paper. Young 

and Yung present a solution that is based on generalized ElGamal. In summary, 
their algorithm allows a user to generate an ElGamal key pair and a 

certificate of recoverability. The certificate can be used to prove that the user’s 
private key is recoverable by the escrow authorities. Anyone in possession of the 
public key of the escrow authorities, the user’s public key, and the certificate 
is capable of verifying that the user’s private key is recoverable. The certificate 
itself is used by the escrow authorities to recover the private key. 

It is important to have a variety of options when implementing a cryptosys- 
tem, employing different algebraic problems. It is also interesting, due to the fact 
that the system is new, to improve the efficiency of the original scheme and to 
construct more functionality into the notion of auto recoverable systems. Indeed, 
we proposed a scheme which outputs an ElGamal public key for the user; the 
escrow authority’s key is based on RSA. 

Recall that in Young and Yung’s algorithm, the system parameters r, q, and 
p must be generated such that p=2q+l = 4:r + S where r, q, and p are prime. 
Such values needed for generating the escrow authorities keys are difficult to find 
for r > 1024 bits. In the feasibility of that construction was carried out 

and shown to take considerable time (heuristically the time required becomes 
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proportional to the cube of the reciprocal of the probability of a number being 
prime) . 

Our results: (1) In our proposed system, it is much easier to generate the 
system parameters, since we only require a relationship between two rather than 
three large integers; this fact is true for a centralized escrow authority. Our 
system is still implementable in a distributed fashion due to a recent development 
regarding distributed RSA key generation. (2) We define the notion of escrow 
hierarchy and implement a two level hierarchy based on a combined system. 



2 Background and Definitions 

Informally, an Auto-Recoverable and Auto-Certifiable cryptosystem is a system 
that allows a user to generate auto-certifiable keys efficiently. The following is 
the formal definition from 

Definition 1. An Auto -Recoverable and Auto- Certifiable Cryptosystem is an 
(m-t-2)-tuple (CEN,VER,RECi,REC2,---,RECm) such that: 

1. CEN is a publicly known poly-time probabilistic Turing Machine that takes no 
input and generates the triple (Ki,K 2 ,P) which is left on the tape as output. 
Here K 2 is a randomly generated private key and K\ is the corresponding 
public key. P is a poly-sized certificate that proves that K 2 is recoverable by 
the escrow authorities using P. 

2. VER is a publicly known poly-time deterministic Turing Machine that takes 
(Ki,P) on its input tape and returns a boolean value. With very high prob- 
ability, VER returns true iff P can be used to recover the private key K 2 . 

3. RECi, where 1 < i < m is a private poly-time deterministic Turing Ma- 
chine that takes P as input and returns share i of K 2 on its tape as output, 
assuming that K 2 was properly escrowed. The Turing machines RECi for 
1 < i < m can be used collaboratively to recover K 2 . 

4-. R is intractable to recover K 2 given K\ and P without RECi,..., RECm- 

It is assumed that the Certification Authority (CA) will not publish a public 
key unless it is verified that the corresponding private key is escrowed properly. 
Let EAi denote Escrow Authority i. It is also assumed that EAi knows only 
RECi, in addition to what is publicly known. Our system is used as follows. 
To publish a public key, user U runs GEN and receives (Ki,K 2 ,P). U keeps K 2 
private and encrypts the pair (Ki,P) with the public key of the CA. U then sends 
the resulting ciphertext to the CA. The CA decrypts this value, and recovers 
(Ki,P). The CA then computes VER(A'i,P), and publishes Ki in the database 
of public keys iff the result is true. Otherwise, U’s submission is ignored. The 
certificate P is not published in either case. We will explain the reason for this 
later. Suppose that U’s public key is accepted and Ki appears in the database 
of the CA. Given P, the escrow authorities can recover K2 as follows. EAi 
computes share i of K2 by running RECi{P). The authorities then pool their 
shares and recover K 2 . 



308 A. Young, M. Yung 



The notion of a shadow public key system is due to In a shadow 

public key system, a conspiring user publishes his or her unescrowed public key 
within the information corresponding to his or her legitimate public key which is 
displayed in the public key database. Thus, the escrowed public key database is 
used as an unescrowed public key database by the conspirators. An escrow system 
is said to be shadow public key resistant if it is not possible for conspirators to do 
this. Young and Yung’s system was argued to be shadow public key resistant so 
long as the certificates of recoverability are not published. The same also holds 
for the system that we propose herein. The system in fact has the numerous 
specifications of software key escrow given in 



2.1 Mathematical Preliminaries 

Our system requires the following cryptographic assumption. 

Problem 1: Without knowing the factorization of n, find x where xG 
given a;® mod 2tn and mod p. Here, p = 2tn + 1, n = qr, p, q, r, and large 
primes, t is a small prime, g generates a large subgroup of Zp, and gcd{e, 4>{tn)) 
= 1. In this work e = 3. 

We were unable to prove that the above problem is a cryptographically hard 
problem. Thus, the difficulty of Problem 1 is a cryptographic assumption in 
regards to our system. We also assume that a modified version of the RSA 
problem is hard. Namely, that it is hard to compute the entire plaintext if we 
reduce modulo 2tn, as wposed to reducing modulo n as in RSA. Recall that t 
is a small prime numbe J 

Intuitively, it seems that problem 1 should be hard, since a;® mod 2tn is a 
presumed one-way trapdoor function of x, and g^ mod p is a presumed one-way 
function of x. Clearly, Problem 1 is not hard if cracking RSA is not hard, or if 
computing discrete logs is not hard. 



Related Work 



There is a wealth of proposed solutions to the problem of key escrow. Various 
hardware solutions have been proposed. Yet, it has been shown that these hard- 
ware solutions should not be automatically trusted due to their black-box nature 
Several protocol base d solutions that can be implemented 
in software have been proposed These solutions, namely. Fair Pub- 

lic Key Cryptosystems and Fail-safe Key Escrow systems, respectively, impose 
a significant amount of overhead for the user in excess of what is present in a 
typical unescrowed public key system. Recently, a “Fraud-Detectable Alterna- 
tive to Key-Escrow Proposals” based on ElGamal was described in This 

system was shown not to be fraud-detectable in the case of colluding criminals 
Furthermore, this solution operates at the session level, and the proofs 



^ In our implementation we can actually give the CA the value mod n and always 
choose values which are fixed and known mod 2t. 
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involved introduce a significant amount of space overhead per communication 
session. Various other solutions (like the TTP and some industry proposals) 
require changes of the session level outside the PKI protocols which may not 
give a global solution due to the extensive required changes in applications and 
communications. The solution in is attractive for use as a key escrow 

system because, from the users perspective, the system is as easy to use as a 
typical public key system, and it does not require any changes outside the PKI 
protocols (along with many other properties, see Q 

A feature that an escrow system should have is the ability of the escrow 
authorities to recover selected messages of users, without being able to recover all 
of the messages This capability is useful because it allows court orders to 

specify exactly which messages of a suspected criminal are to be decrypted, and 
hence does not completely compromise the privacy of the suspected user, who 
may be innocent. Our proposed system supports this capability. The system’s 
set-up of the authority key can be done distributedly 






3 The Scheme 

The following is a description of our Auto-Recoverable and Auto-Certifiable 
cryptosystem. 



3.1 System Setup 

The escrow authority (authorities) generate a shared Blum integer n = qr, where 
q and r are prime. The escrow authorities then make sure that gcd(3,(()(n)) = 
1 . If this condition does not hold, then the escrow authorities generate a new n. 
The escrow authorities then compute p = 2tn + 1, where t is drawn from the 
first, say 256 strong primes starting from 11, inclusive. If p is found to be prime 
using one of these values for t, then the values for n and p have been found. If 
none of the values for t causes p to be prime, this entire process is repeated as 
many times as necessary. Note that t = 2t' +1 where t' is prime. Since we insist 
that t > 7, we are guaranteed that gcd(3,(()(tn)) = 1. Once n and p are found, 
the escrow authorities generate the private shares di, ^ 2 , ■■■, dm corresponding to 
e = 3. A value g G_r is chosen such that g has an order that is at least as 
large as the smallest of q and r, in the field Zp (recall that the factorization of 
n is not known). The values t, n, and g are made public. 

This system can be setup much faster than since the escrow author- 

ity can generate a composite modulus very quickly, and in order to find a prime 
p, t can be varied as needed. The expected time to find such a p is inversely 
proportional to the density of primes. In contrast, in the system setup 

relied on finding three primes with a rigid relationship between them. Heuris- 
ticly this means that sampling such primes may take an expected time which is 
inversely proportional to the density of the primes cubed. 
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3.2 Key Generation 

GEN operates as follows. It chooses a value x Gr Z^tn and computes C = 
mod 2tn. x is the user’s ElGamal private key. GEN then computes y = 
mod p. The user’s ElGamal public key is {y,g,p). Note that g may not 
necessarily generate Zp, but, we can make sure that it generates a large subgroup 
of Zp. GEN also computes a non-interactive zero-knowledge proof based on C 
and y. The following is how this proof is constructed. 

1. choose ri,r 2 , ...,rjv Gr Z^^^. 

2. compute Ci = mod 2tn for 1 < i < fV 

3. compute Vi = y^' mod p for 1 < i < fV 

4. 6= H{{Ci,vi),{C 2 ,V 2 ), ■■■,{Cn,vn)) mod 2^ 

5. bi = (2* AND 6) > 0 for 1 < i < TV 

6. Zi = Tix'^' mod 2tn for 1 < z < iV 



Here N is the number of iterations in the NIZK proof (e.g., N = 40). Gon- 
cerning step 1, technically the prover has a chance that one of the will 
have q or r in its factorization, this is highly unlikely. Note that bi in step 
5 results from a boolean test, bi is 1 if when we take the logical AND of 
2® and b we get a value greater than zero. It is 0 otherwise. The proof P is 
{C, (Ci,vi), (C 2 ,V 2 ), ..., {Cn,vn),zi,Z2, ■■■,zn)- gen leaves {{y,g,p),x,P) on the 
output tape. Griterion 1 of definition 1 is therefore met. The use of H is akin to 
the Fiat-Shamir method to make the proofs non-interactive 



3.3 Public Escrow Verification 

VER takes {{y,g,p),P) on its input tape and outputs a boolean value. VER 
verifies the following things: 

1. C^'Ci = Zi^ mod 2tn for 1 < z < TV 

2. Vi = g^'Y' ’>nod p for 1 < z < iV 

VER returns true both criterion are satisfied. Note that skeptical verifiers 
may also wish to check the parameters supplied by the escrow authorities (e.g., 
that n is composite, p is prime, etc.). 

It is clear that this proof system is complete. The proof of soundness and 
an informal proof that this constitutes a proof of knowledge is given in the next 
section. 



3.4 Key Recovery 

RECi recovers share z of the user’s private key x as follows. RECi takes C 
from P. It then recovers share Si using the private share di. It outputs Si on its 
tape. The authorities then pool their shares and x is computed. Griterion 3 of 
definition 1 is therefore met. 
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3.5 Recovering Plaintext Data 

The escrow authorities can recover the plaintext of users suspected of criminal 
activity without recovering the user’s private key itself. In this section, we as- 
sume that the method being used is In our case the private decryption 

exponent is c? = mod 4>{tn), and d is the inverse of 3 mod 4>{tn). To 

decrypt the ElGamal ciphertext (a, b) of a user U the escrow authorities proceed 
as follows: 

1. Each of the m escrow authorities receives C corresponding to U. 

2. Escrow authority 1 computes si = ^ mod p. 

3. Escrow authority i + 1 computes s^+i = Si'^ mod p. 

4. Escrow authority m decrypts (a, 6) by computing b/{sm-i^ ™) mod p. 

Since the escrow authorities do not reveal the values , no one can recover 

X. 

4 Security of the Trapdoor Values 

Assuming the difficulty of computing discrete logs, it is intractable to find x 
given y as constructed by GEN. We would like to prove that it is intractable to 
find X given C and y. However, doing so would amount to proving that Problem 
1 is hard. We have therefore shown that the trapdoor values in n, y, and C are 
secure, under the RSA mod 2tn assumption (where some 1 -I- log t information 
theoretic bits may be leaked), the discrete log assumption, and assuming that 
Problem 1 is hard. Thus, under these assumptions, the three values n, y, and 
C can be published together without fear that the corresponding hidden values 
will be found. It follows that criteria 4 of definition 1 is met. 

5 Security of the New Cryptosystem 

We have to show that the additional information constitutes a proof system that 
assures that the user knows its public key and the recoverability (proof of knowl- 
edge), while not revealing additional information (i.e., being zero-knowledge). 

The proof of completeness is immediate. Gonsider the proof of soundness. 
A prover can forge an invalid proof if he can find a C and a y such that 
is not congruent to x in y = mod p, and have these two values pass the N 
verifications. 

Claim 1. If is not congruent to x in y = mod p, then the prover will 
fail the proof with overwhelming probability. 

Proof. Assume that the prover knows t where = t mod 2tn. Also, assume 
that the prover knows u where y = g^ mod p, and t is not congruent to u mod 2tn. 
Gonsider the case where the prover guesses that bi — 0. The prover then follows 
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the protocol and reveals Zi = Vi. The prover clearly passes the verifications 
in this case. Now suppose the prover guessed wrong, and bt = 1. To pass the 
first verification in round i, the prover must reveal Zi = tvi mod 2tn, because 
= CCi mod 2tn. But then the prover will fail the second verification. To 
see this note that = g*’’* = (g*)’’* mod p, but y = mod p. Suppose 
that the prover guesses that bi will be 1. The prover then chooses Wi Gr 
and computes Ci = jC mod 2tn, and Vi = g™* mod p. The prover sends Ci,Vi, 
and Zi = Wi to the verifier, and clearly passes if his guess is correct. Suppose 
the prover guesses wrong. To pass the second check, the prover must instead 
send Zi = u~^Wi mod 2tn. This will pass since = (g“)“ = g™* = Vi. 

But then the prover will fail the first check. To see this, suppose for the sake of 
contradiction that the prover will pass the first check. We have that, {u~^WiY = 
{u~^YCCi = {u~^tYCi. Clearly, {u~^t)^Ci = Ci iff u = t. But, u = t contradicts 
our assumption that the plaintext of C is not the discrete log of y. So, the prover 
will fail the first check in this case. Thus the prover will fail a given round with 
probability 1/2. From this it follows that the proof is sound. QED. 

The following is a sketch of the proof that this system constitutes a zero- 
knowledge proof system. This proof applies to the interactive version of our 
proof system. The Fiat-Shamir methodology and a random oracle assumption are 
used for the non-interactive proof of zero-knowledge. The poly-time probabilistic 
simulator S works as follows. S first puts C, the problem instance, in the output 
transcript P. S chooses S then flips a coin. If the result is heads, S 

computes Ci = ri^ mod 2tn, and Vi = g’’* mod p. If the result is tails, S chooses 
Ci = Ti^ jC mod 2tn, and Vi = g^' mod p. The restartable verifier subroutine V* 
is then invoked. V*, given it’s stored history, responds with heads or tails. If S 
guessed correctly, then (Ci, Vi) is added to P. Otherwise, this iteration is started 
over again. By induction on i, it can formally be shown that the probability 
distribution over the transcripts generated by S is the same as the distribution 
of those generated by the prover and the verifier. 

We will now give a sketch of the proof that this proof constitutes a proof 
of knowledge. Suppose that the knowledge extractor is given both possible re- 
sponses Zi, call them uq and ui, where the subscript equals 6i, in a given round. 
It follows that the knowledge extractor can extract a value 2 by computing 
ui/uq = z. Since Ci = uq^ mod 2tn and since CCi = mod 2tn it follows 
that = C = z^ mod 2tn. Thus, 2 is the plaintext of C. Also, since 

Vi = g“” mod p and since Vi = g“^ mod p it follows that xuq = ui. Therefore, 
X = ui/uo = z, the value extracted. The knowledge extractor therefore extracts 
the plaintext of C which is also the log of g modulo p. Thus we have shown that 
criterion 2 of definition 1 is met. 

Claim 2. Assuming that RSA mod 2tn is secure, our auto-recoverable auto- 
certifiable cryptosystem is complete, sound and zero-knowledge proof of knowl- 
edge. 

Finally, the motivation for not allowing the CA to publish P will now be 
explained. If P is published for each user, then our system can be used to support 
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a shadow public key infrastructure. To see this, note that a set of conspiring users 
can agree on the following way to abuse the system. It is agreed that the first 
iteration of the proof in which bi = 0 will be used to display the shadow public 
key in the value for zi. So, a conspirator can display a shadow public key in P 
as follows. He generates N public keys, and uses these N values as his N values 
for the ri in the proof. Then, assuming that bi will be zero at least once, he is 
able to display a shadow public key in P. 



6 Depth-3 Escrow Hierarchy 



Let us introduce the notion of escrow hierarchy by an example. Consider a 
scenario in which each U.S. state needs to be able to escrow the private keys of 
its residents, and the federal government needs to be able to escrow the private 
keys of all U.S. citizens. However, the state police of New York should not be 
able to successfully wiretap the communications of residents of California, and 
vice-versa. This application calls for an escrow hierarchy, which can be thought 
of as a depth-3 tree. The federal government is the root, the states are the middle 
nodes, and the citizens are the leaves of the tree. This defines by example what 
an escrow hierarchy is. 

The following is how to realize such a system using our proposed system in 
conjunction with the algorithm from The escrow authorities generate 

a shared composite n such that q' = 2tn -|- 1 is prime, and such that p = 2q' + 1 
is prime. Here f is a small prime of the form 2t' + 1 where t' is prime. Thus, from 
the root of the tree to the children of the root, the escrow system that is used is 
the one that is described in this paper. It is somewhat more difficult to generate 
an appropriate prime 2tn -|- 1 in this case, since -|- 3 must also be prime (so 
we have the same inefficiency as in 

Each child of the root (intermediate node) then generates a (potentially 
shared) public key Y mod 2q' . Thus Y is an ElGamal public key in ElGamal 
mod 2q' . 

The leaves corresponding to (i.e. under) each of these intermediate children 
then generate escrowed keys based on the values for Y using the algorithm from 
Thus, the algorithm is used between the intermediate nodes 

and the users at the leaves. Note that in this case the generator that is used in 
Y may only generate a large subgroup of ■ 

Using the arguments in this paper and in we can show how the 

hierarchical system is strictly preserved by the construction. 



7 Conclusion 

We presented a new implementation of an Auto-Recoverable and Auto-Gertifiable 
cryptosystem based on generalized ElGamal and assuming the difficulty of gener- 
alized ElGamal, and modified RSA. By making a reasonable new cryptographic 
assumption, and by using the above assumptions we showed our scheme to be 
secure. We also introduced the notion of escrow hierarchy. 
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The new scheme can either be used for faster initialization, or as part of an 
escrow hierarchy, a notion we have presented herein. It also demonstrates an 
alternative implementation of auto-recoverable systems. 
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Abstract. With the development of high speed computer networks, 
video service on the Web has huge market potential in that the video 
service can be provided to subscribers with greater time and schedule 
flexibility compared to the current cable TV system. Under the pay-per- 
view (PPV) scheme, subscribers only need to pay for the programs that 
they have watched. A critical issue on PPV service is the capability of 
settling disputes over PPV service charges. This is especially important 
in the case that the Internet communication could be interrupted (by 
accident or deliberately) in the middle of a viewing session. This paper 
proposes a fair PPV billing protocol for web-based video service. With 
this protocol, a video service will be divided into small units, and a sub- 
scriber needs to submit cryptographic evidence which enables fair billing 
based on the number of units being provided in a viewing session. In 
addition, by the establishment of a one-way sequential link, the validity 
of evidence is maintained efficiently without any involvement of trusted 
third parties. Our scheme is light-weighted in terms of the storage re- 
quirement and computation overheads on subscribers, thus subscribers 
can request PPV service securely with their own smart cards regardless 
of their physical location. 

Keywords: pay-per-view, video service, fair billing, validity of evidence 



1 Introduction 

Cable TV is a popular entertainment medium in our daily life. The charging 
mechanism for cable TV is very simple, where cable television companies pro- 
vide premium channels on a monthly basis to subscribers who pay a flat fee 
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irrespective of their viewing habit. A special device known as the set-top box 
(STB) should be installed by subscribers, which receives the encrypted signal 
from a premium channel, decrypts and decodes the compressed digital video 
and passes the signal to the television. The system does not permit subscrib- 
ing or unsubscribing to these channels prior to the showing of some particular 
program. 

Pay-per-view (PPV) service has the advantages over cable television service 
in that it can offer greater time and schedule flexibility to customers. With the 
development of high speed computer networks, it is possible to provide video 
services on the Web to customers with more flexibility. Under the PPV scheme, 
customers may choose to watch programs they are interested in at any time, and 
only need to pay for the programs that they have watched Q. 

A critical issue on PPV service is to make provision for settling possible 
disputes over PPV service charges, especially in the case that the communication 
is interrupted (by accident or deliberately) in the middle of a viewing session. 
In order for the Web-based PPV service to be widely accepted, it is important 
that customers are not wrongly charged because of the more complex charging 
mechanism over a less reliable delivery medium. 

In this paper, we propose a fair PPV billing protocol for web-based video 
service. With this protocol, a video service will be divided into small units, and 
a customer needs to submit cryptographic evidence which enables fair billing 
based on the number of units being provided in a viewing session. In addition, 
by the establishment of a one-way sequential link, the validity of evidence is 
maintained efficiently without any involvement of trusted third parties. Our 
scheme is light-weighted in terms of the storage requirement and computation 
overheads on customers, thus can be implemented in a resource scarce device 
such as a smart card. 

The rest of the paper is organised as follows. We establish the model of PPV 
service on the Web and identify the security requirements in the next section. 
In SectionH^we present a simple PPV billing protocol and analyse its weakness. 
In Section Q we propose a fair PPV billing protocol and demonstrate how to 
settle the billing problem with evidence collected in our protocol. In Section ^ 
we put forward an efficient approach to maintaining the validity of evidence. In 
Section 5 we assess the feasibility of protocol implementation in a smart card 
to support mobility of subscribers. Section ^concludes the paper. 

The following basic notation is used throughout the paper. 

• X,Y: concatenation of two messages X and Y. 

• H{X): a one-way hash function of message X. 

• eK(X): encryption of message X with key K. 
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• sSa{X): party A’s digital signature on message X with the private signature 
key Sa- 

• Sa and Va- party A’s private signature key and public verification key. 

• Pa and : party A’s public encryption key and private decryption key. 

• A ^ B : X: party A sends message X to party B. 

2 PPV Service Model 

Suppose a video service provider S offers PPV service on the Web. If a customer 
C intends to obtain PPV service from S, C needs to make a subscription to S. 
Thereafter, C will receive a bill periodically from S for video services C requested 
from S during the charging period. In general, we can divide PPV service into 
four stages: 

1. Subscription 

2. Browse 

3. Request and View 

4. Payment and Dispute Resolution 

At Stage 1, C needs to provide his public key certificate issued by some 
certification authority (CA) 0 trusted by S, and his (email) address for receiving 
bills. After checking C’s subscription information, S will open an account for C. 
Such an account may be maintained until C cancels his subscription or C’s public 
key certificate expires. 

At Stage 2, C can browse the catalogue of video programs provided by S, 
which may include the titles, abstracts, and duration of each program, as well 
as the price for a view of each of the listed programs. Once a choice is made, C 
enters Stage 3 when he sends a view request to S. The request contains enough 
information to enable S to charge the service request to C’s account before video 
is delivered. C will be billed at Stage 4 for services he requested from S. 

To provide a secure PPV service, we should first identify the risks that each 
party is subject to. The PPV service provider S is subject to the following risks: 

51. video stream may be tapped by a non-subscriber; 

52. C denies request for services; 

53. C denies receipt of the service he requested; 

54. C claims that the service was interrupted before completion. 

On the other hand, the subscriber C is subject to the following risks: 

Cl. a hacker may masquerade as C to obtain free service; 

C2. C is charged for a service he did not request; 

C3. C is charged but did not obtain the (complete) service; 

C4. C is overcharged for a service he requested. 
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To protect against risks SI and Cl, entity authentication should be con- 
ducted between S and C, and video streams should be transmitted in cipher 
text. The remaining risks can be summarised as repudiation of billing which is 
addressed in this paper. 

Repudiation is defined as “denial by one of the entities involved in a commu- 
nication of having participated in all or part of the communication” Non- 
repudiation services protect the transacting parties against any false denial that 
a particular event or action has taken place. The basic non-repudiation services 
are 



— Non-repudiation of Origin (NRO) which provides the recipient of a message 
with evidence of origin of the message to protect against any attempt by the 
originator to falsely deny having sent the message. 

— Non-repudiation of Receipt (NRR) which provides the originator of a message 
with evidence of receipt of the message to protect against any attempt by 
the recipient to falsely deny having received the message. 

In the case of PPV service on the Web, it is desirable that subscribers cannot 
deny receipt of services they requested. On the other hand, subscribers should 
not be wrongly charged due to any billing error or security breach on the serving 
network. Non-repudiation of Billing (NRB) is a security service established be- 
tween a service provider and its subscribers to enable the settlement of disputes 
over the correctness of service charges. 

NRB could be built on NRR by demanding evidence of receipt from a sub- 
scriber being served. Some non-repudiation protocols exist for fair exchange of 
a message and evidence of receipt of the message thus achieving non- 

repudiation of billing. However, it is infeasible to achieve NRB in such a way if 
the content of a message to be transmitted is not completely fixed before the end 
of a transaction (e.g. a live program which is transmitted while actually hap- 
pening), or if the service charge is irrelevant to the content of a message to be 
transmitted (e.g. the charge of a phone call). Instead, non-repudiation of billing 
for these services is mainly based on the duration of a communication session 
being connected. PPV service is provided with real-time connection between the 
service provider and the subscriber being served. This paper aims to propose a 
fair PPV billing protocol which makes the correctness of PPV service charges 
undeniable. 

When a subscriber C requests a video program from S, he needs to provide 
S with evidence which can be used to prove that C is charged correctly for the 
service offered. S is responsible for maintaining the evidence until C has settled 
the bill. If C is in doubt of the bill, C can lodge a complaint to S and S can use 
the evidence to check whether C is wrongly charged. If both parties cannot reach 
an agreement by themselves, an arbitrator may be invoked to settle the dispute 
over the correctness of the bill. The arbitrator may ask S to present evidence to 
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prove the service supplied to C. If S cannot present the evidence, C can reject 
the payment. Otherwise, C has to pay the bill. 

3 A Simple PPV Billing Protocol — SPPV 

The security of Stage 3 is the key to a successful PPV service. This is because 
PPV service has a complex charging mechanism and a subscriber is billed ac- 
cording to the video programs requested over the charging period. As disputes 
may arise concerning the correctness of a bill, it is important to establish certain 
evidence at this stage in order to enable the settlement of disputes at Stage 4. 
Such evidence is usually represented by digital signatures Here we present 

a simple PPV billing protocol SPPV. 

Suppose C is a subscriber at S, then S holds C’s public key certificate. We 
assume that S”s public key certificate is publicly available to its subscribers. 
Once C has chosen a video program to watch, C can make a view request as 
follows. 

1. C ^ S ■. Id,Pr, Tg, sSc{S, Id, Pr, Tg) 

2.S^C: ePc(K,), sSs(C, Id, Tg, K^) 

S.C^S: H{C, S, Id, Tg, K,) 

In the above protocol. Id is the identifier of a video program, Pr is the price 
for viewing this program, Tg is the date and time that C’s service request is 
made, Ks is a session key issued by S' to (7 for deciphering the video stream to 
be transmitted. 

Protocol SPPV is efficient for implementation. When making a view request, 
the subscriber C first generates a digital signature on his request as evidence 
and sends the signed request to the service provider S at Step 1. After verifying 
C’s request, S issues a session key Ks to C at Step 2. Here the privacy of Ks 
is protected with C’s public encryption key Pc while the authenticity of Ks 
is ensured with S”s digital signature. The advantage is that C and S need not 
share a secret in advance. (The more secrets to be shared, the more difficult to 
manage these secrets.) By verifying S’s digital signature, C can be sure that his 
view request is successful and Ks is the session key to be used for protecting the 
subsequent video stream. The reply from C to S' at Step 3 makes S believe that 
C has received Ks and is ready for receiving the service. 

Protocol SPPV provides a limited protection for the correctness of PPV 
service charges. Once S holds C’s signed view request, C cannot deny the service 
charge. In other words, C has to be committed to the payment before viewing 
the program, which is unfair to C in the transaction. After submitting the view 
request, C has to wait for the service from S. However, C may not receive a 
complete service if the communication is suddenly interrupted, and it will be out 
of C’s control to cancel his view request in such a case. Without S’s agreement, 
C will be liable to the charge on any service he requested, even if the service 
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is incomplete. Such a policy is necessary in protocol SPPV. Otherwise, C may 
terminate a service before completion thus deny the charge if he finds that the 
program is not interesting or if he cannot go on watching the program for other 
reasons. 

4 A Fair PPV Billing Protocol — FPPV 

As we pointed out in Section H protocol SPPV does not protect against the 
billing problem due to sudden interruption of communication in the middle of a 
viewing session. Such a scenario leaves subscribers in an unfair billing situation, 
and is especially undesirable in a network where bandwidth is not guaranteed 
such as the Internet. This section presents a fair billing protocol based on a 
combination of digital signature and one-way hash chain techniques originating 
from 13- 

A one-way hash chain is constructed by recursively applying an input string 
to a one-way hash function denoted as H^{x) = (z = 1, 2, • • •) 

where H^{x) = x. According to the feature of one-way hash function, if x is 
chosen randomly and the hash chain is kept secret, given H^(x) it is computa- 
tionally infeasible to find the input W~^{x) except the originator of the hash 
chain. This forms the basis of our fair PPV billing protocol FPPV. The sub- 
scriber C can include a chained one-way hash value in his signed view request. 
Then C releases other chained hash values at a pre-defined interval during the 
service. S only needs to store the last hash value released by C as evidence to 
prove the duration of the service provided to C. 

4.1 The Protocol 

In the catalogue of video programs provided by S, the size of a charging unit L 
(e.g. 1 minute, 5 minutes, or 10 minutes etc.) and the number of units m for each 
program should be specified. Suppose C has browsed the catalogue and chosen a 
video program to watch. When C requests to view the program, C first chooses 
a random number n, and generates m chained one-way hash values as follows: 

H\n) = H{W~\n)) (z = 1, 2, • • • , m) 

where H^{n) = n. C keeps H^{n), H^{n), • • • , secret. Then C initiates 

the following view request protocol. 

l.C^S:Id, Pr, L, m, H'^{n),Tg, sSc{S, Id, Pr, L, m, H^{n),Tg) 
2.S^C: ePc{Ks), sSs{C, Id, Tg, K,) 

S.C^S: H{C, S, Id, Tg, K,) 

After C makes a successful view request, C will release 71* (zz) (z = m—l,m — 
2, • • •) to S' at a pre-defined interval L during the service 3 S will check whether 

^ C can make use of the number of video frames he received from S as a counting 
mechanism. 
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H{W{n)) = If true, S will overwrite the previous and save 

the current H^(n) as a piece of evidence, and provide next unit of service to C. 
If S does not receive or receives incorrect W{n), S will cut off the service 

(with a warning in advance). 

If the communication is interrupted accidentally in the middle of a service, 
the service can be continued from where it has stopped after the communication 
is recovered. Suppose the service was interrupted after C had released the jth 
chained hash value C only needs to initiate the following reconnection 

protocol. 



l.C- 


S 


Id,Tg,j,H^-^{n) 


2.S- 


4 c 


ePc{Ks), sSs{C,Id,Tg,K,) 


3. C- 


s 


H{C, S, Id, Tg, K,) 



A deadline may be defined for a valid reconnection request in the service policy. 
After receiving C’s reconnection request, S will check whether the request is 
made before the deadline and matches the last chained hash value 

held by S. If successful, the session key Ks will be re-established | and S will 
continue the service from the jth unit. 

The above mechanism can support a more flexible charging policy in PPV 
service. Subscribers could be allowed to terminate a service before completion if 
they find that the program is not interesting or if they cannot go on watching 
the program for other reasons, and they may only be charged for the part of 
the program they have watched. This billing scheme does not provide complete 
fairness since the last unit of service may remain in dispute if the communication 
is terminated before completion of the service. Nevertheless, as long as the service 
provider S chooses an appropriate size of charging unit L, the possible loss of 
one-unit service charge can be limited to a negligible level. 



4.2 Dispute Resolution 

The PPV service provider S sends a bill to the subscriber C periodically. If C 
is in doubt of the charges, C can lodge a complaint to S and S will use the 
evidence collected at Stage 3 to check whether C is wrongly charged. If both 
parties cannot reach an agreement by themselves, a third party arbitrator may 
be invoked to settle the dispute over the correctness of the bill. The arbitrator 
may ask S to present evidence to prove the service supplied to C. If S' cannot 
provide such evidence, the arbitrator will conclude that C is wrongly charged. 
Hence, S is responsible for maintaining the evidence until C has paid the bill. 

Besides C’s signed view request, the last chained hash value released by C 
in PPV service is vital for a fair settlement of the billing problem. For example, 

^ To avoid re-encrypting the video stream, S may choose the same session key as the 
one used before interruption. 
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the evidence of a complete service with the duration oi L * m supplied to C is 
S, Id^ Pr^ L,m, H'^{n),Tg, sSc{S, Id^ Pr, L,m, H"^{n),Tg), H^{n) 

After receiving the above evidence from S, the arbitrator will check 

— whether C’s digital signature sSc{S, Id, Pr, L, m, H'^{n),Tg) is valid; 

— whether = H'^{n) where H^{n) is the last chained hash value 

collected by S. 

If the first check is positive, the arbitrator will believe that C made the view 
request. If the second check is also positive, the arbitrator will conclude that C 
was provided the service with a duration oi L * m and C is responsible for the 
corresponding charge Pr. 

Since a service may be interrupted (by accident or deliberately) before com- 
pletion, a billing policy should be defined for incomplete services. Suppose the 
above service was interrupted after S had received the jth chained hash value 
from C. The arbitrator can make a similar check as above to see 
whether {n)) = H^{n). If so, the arbitrator will conclude that C was 

provided an incomplete service with a duration oi L*j. Depending on the billing 
policy for incomplete services, C will be liable for a charge accordingly. 

5 Maintaining Validity of Evidence 

In order to support undeniable billing in PPV service, digital signatures are 
generated and collected as non-repudiation evidence in our mechanisms SPPV 
and FPPV. As signature keys may be compromised and the validity of signatures 
may become questionable, additional security mechanisms need to be imposed 
on digital signatures 

A straightforward approach to secure digital signatures for non-repudiation 
requires that users interact with an on-line trusted time-stamping authority (TS) 
to get each newly generated digital signature time-stamped so that 

there is extra evidence to prove whether the signature was generated before the 
corresponding public key certificate was revoked and thus is deemed valid. Such 
an approach may be employed in high value business transactions where security 
is the most important requirement. However, it is probably not cost-effective in 
ordinary on-line transactions. 

An efficient approach to secure digital signatures as non-repudiation evidence 
was proposed in in which two different types of signature keys are defined. 

— Revocable signature keys - the corresponding verification key certificates are 
issued by a certification authority (CA), and can be revoked as usual. 

— Irrevocable signature keys - the corresponding verification key certificates are 
issued by users themselves and time-stamped by a time-stamping authority 
(TS). Such certificates cannot be revoked before their expiry. 
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The revocable signature key is used as a long-term master key to issue irrevo- 
cable verification key certificates while the irrevocable signature key is used as 
a temporary key to sign electronic documents. The digital signatures generated 
in such a way will remain valid until the corresponding irrevocable verification 
key certificates expire, thus can be exempted from being time-stamped by a 
time-stamping authority during on-line transactions. 

The second approach can significantly improve the efficiency of mass on-line 
transactions. However, as the generation of irrevocable signature/ verification key 
pairs needs much more computation and storage capacity, it seems infeasible 
to be implemented in a smart card. Here we put forward a new approach to 
maintain the validity of evidence for subscribers equipped with a smart card in 
PPV service. 

The idea behind our approach is the establishment of a one-way sequential 
link of the subscriber C”s signed view requests. The one-way sequential link has 
the property that any change to the order of C’s signatures or insertion of a new 
signature to the link will be detected. If C wants to revoke his verification key 
used in PPV service, C only needs to ask the service provider S to countersign 
C’s latest signed view request. With S”s countersignature, C can deny other view 
requests which are signed with his revoked key but not in the countersigned link. 
Hence, S should not accept (7’s view request signed with his revoked key once 
S has confirmed C’s revocation request. 

Suppose C is going to make the view requests Reqi, Req 2 , • • • , Reqi. C can 
establish a one-way sequential link of his signed view requests ai,a 2 , - ■ ■ ,<Ji as 
follows. 

(Ji = sSc(Reqi) 

(J2 = sSc{Req2,H{ai)) 

at = sSc{Reqi, H{ai-i)) 

For 1 < j < i, S will check whether Uj is linked properly to <Jj-\ before accepting 
C’s jth view request. Then we have the following claims. 

Claim 1. (Ti, (J 2 , ■ ■ ■ ,<Ji are sequential. That means, for 1 < j < i, Cj is generated 
later than aj-i. 

Proof: Since H{ai-\) is apart of the signed message in Ui = sSc{Reqi, H{ai-i)), 
H(ai-i) is a fixed value. According to the definition of a one-way hash function, 
it is computationally infeasible to find its input Therefore, at-i should have 
been generated before generating ai. For the same reason, Cj-i (j = z — 1, • • • , 2) 
should have been generated before generating aj. Hence, a\, a 2 , ■ ■ ■ , Ci are se- 
quential. 
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Claim 2. cti , (T 2 , • • • , CTi are one-way linked. That means, for 1 < j < i, it is 
computationally infeasible to generate a valid signature o' which is linked between 
aj and Uj-i. 

Proof: For 1 < j < z, suppose a' = sSc{Req' , H{aj-i)) is a signature to be in- 
serted between Cj-i = sSc{Reqj-\, H{aj-2)) and aj = sSc{Reqj, H{aj-i)). o' 
should meet the requirement that H(a') = H{aj-i) while a' ^ ^j-i- According 
to the definition of a one-way hash function, it is computationally infeasible to 
find such a value. Hence, ai, a 2 , ■ ■ ■ , crt are one-way linked. 

If C thinks that his signature key Sc may have been compromised, or he 
does not want to request services from S any more after C made his zth view 
request, C can revoke his public key certificate submitted to S at subscription 
by initiating the following revocation protocol. 

l.C^S:<7i 

2.S^C: sSs{a,) 

Once S receives C’s revocation request, S checks whether Ci is C’s latest view 
request. If so, S confirms C’s revocation request. Here we assume that C holds S’s 
public verification key and thus can check S”s countersignature sSsicTi). With 
evidence sSsici), C can deny all other view requests signed with Sc except 

(Ti, (72, • • • , (7i. 



When C receives a bill from S and claims that Cj is a signature forged by 
somebody else with Sc after the public key certificate had been revoked at S but 

5 disagrees, C may provide evidence sSs{ui) to an arbitrator to prove that S had 
confirmed (7’s revocation request. Then the arbitrator will ask S to present C’s 
one-way sequential link <Tfc, (Jfc+i, ■ ■ ■ ,^i generated with Sc from the beginning 
of that billing period to check whether Cj is a signature in the link. If not, C 
can deny it. Otherwise, C is liable for the corresponding charge. 

The major advantage of this approach is that there is no involvement of a 
trusted third party in the process of key revocation. Hence, this approach will 
be very efficient in applications where a one-way sequential link of signatures 
can be established. 

6 Supporting Mobility of Subscribers 

To attract subscribers to make more frequent use of the video service, it is desir- 
able that subscribers can securely request PPV service regardless of their physical 
location. Here we assess the storage requirement and computation overheads for 
executing protocol FPPV in a smart card. 



A subscriber C needs to store 
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— cryptographic keys: Sc, Pq and Vs (128 bytes each), Kg (20 bytes); 

— view request parameters: S (20 bytes), Id (10 bytes), Pr (5 bytes), Tg (14 

bytes), L and m (2 bytes each). 

The estimated memory for the above items are 457 bytes. The major demand 
for storage is the hash chain generated when making a view request. Suppose 
the minimum charging unit L = 1 minute, the upper-bound of a video program 
are 3 hours, then the maximum length of the hash chain m = 180. Each hash 
value is 20-byte long, thus 180 * 20 = 3600 bytes are required to store the 
whole hash chain, and the total memory required in protocol FPPV are about 
457-1-3600 = 4057 bytes. Such a storage requirement is feasible for current smart 
cards with the average EEPROM size of 4 — 87f bytes. 

Actually, we can reduce the storage of a hash chain at the cost of reasonable 
computation overheads if the hash chain is very long. For example, we may 
only store 9 hash values like H^{n), H^^{n), H^^{n), ■ ■ •, H^^^{n) of the above 
hash chain. Then other chained hash values can be computed easily. Hence, the 
memory for the hash chain can be reduced to 9 * 20 = 180 bytes. 

When a subscriber C makes a view request, his major computation overheads 
are generating a hash chain and a digital signature, and performing a public key 
decryption and a signature verification. With the current smart card technology 
^3, these operations for a typical video length (i.e. a moderate value of m) can 
be finished within a few seconds. After making a successful request, C needs to 
release a chained hash value for each charging unit L during the service. Based 
on the above storage arrangement on the hash chain, C needs to execute at 
most 19 times hash operations to get the required hash value. For example, if C 
needs to release H™{n)^ it can be calculated from which takes only a 

few milli-seconds. As we assume the minimum charging unit L = 1 minute, the 
required hash value can always be ready for release during the service. 

The above analysis shows that protocol FPPV is light-weighted and can be 
implemented in a smart card to support mobility of PPV subscribers. 

7 Conclusion 

Pay-per-view video service on the Web has the following merits compared with 
the current cable TV. 

— Subscribers can choose to watch the programs that they are interested in; 

— Subscribers can watch these programs at any time; 

— Subscribers only need to pay what they have watched. 

This paper proposed a secure PPV scheme for web-based video service. The 
highlights of our scheme are 

— Non-repudiation of billing - the correctness of a bill is incontestable; 
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— Subscriber mobility - subscribers can request PPV service securely by the 
use of their own smart cards; 

— Practical and efficient - the validity of evidence can be maintained without 
invoking trusted third parties. 
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